Honeypots mailing list archives
Re: Honeypot article
From: "R. Anthony Kolstee" <tkolstee () idealcorp com>
Date: 24 Jan 2003 16:40:48 -0500
From the paper:
I ran into a small problem during this process, as SSH encrypts all of the data being passed between the honeypot and my IDS.
Tracing the system calls made by sshd can reveal the contents of sessions. Test this theory with: strace -p ${SSHD_PID} -f -e trace=read,write -e read=4 -e write=6 The output is ugly, but it works... Couldn't this be turned into an automated tool for honeypot systems that detects the presence of an sshd daemon and taps it automatically? I know that honeypot systems are kept as close to default installations as possible, but this feature would prove extremely valuable. If the intruder had erased his history file in the analysis referenced above, half the analysis would be at best much harder to perform. There is some precedent with the trojaned versions of bash that some honeypot admins use. A modified sshd is too easily replaced by a rootkit (as is a modified bash, for that matter). Maybe a nice unobtrusive kernel module? One that "knows" how to identify file descriptors that might be "interesting" and monitors all read/write syscalls involving them. Is there anything currently out there that resembles this notion at all? -- Tony Kolstee Systems Administrator/Trainer __________________________________________________ I.D.E.A.L. Technology Corporation - Orlando Office http://www.idealcorp.com - 407.999.9870 x10
Attachment:
signature.asc
Description: This is a digitally signed message part
Current thread:
- Honeypot article Lance Spitzner (Jan 15)
- Re: Honeypot article Ing. Bernardo Lopez (Jan 15)
- Re: Honeypot article R. Anthony Kolstee (Jan 24)
- Re: Honeypot article Jon (Jan 25)
- Complete Honeynet zeal0t (Jan 25)
- Re: Complete Honeynet rewt (Jan 25)
- Re: Complete Honeynet Valdis . Kletnieks (Jan 26)
- <Possible follow-ups>
- RE: Honeypot article Keith Bruss (Jan 15)
- RE: Honeypot article Spikeman (Jan 15)
- RE: Honeypot article Grégoire Welraeds (Jan 15)
- RE: Honeypot article Tom McLaughlin (Jan 16)
- RE: Honeypot article Spikeman (Jan 15)
- Re: Honeypot Article Roland Venter (Jan 15)
- RE: Honeypot article Bosschert, B. (is-ks) (Jan 16)
(Thread continues...)