Re: Honeypot article

["R. Anthony Kolstee" <tkolstee () idealcorp com>]

From the paper:

> I ran into a small problem during this process, as SSH encrypts all of
> the data being passed between the honeypot and my IDS.

Tracing the system calls made by sshd can reveal the contents of
sessions. Test this theory with:

  strace -p ${SSHD_PID} -f -e trace=read,write -e read=4 -e write=6

The output is ugly, but it works...

Couldn't this be turned into an automated tool for honeypot systems that
detects the presence of an sshd daemon and taps it automatically? 

I know that honeypot systems are kept as close to default installations
as possible, but this feature would prove extremely valuable. If the
intruder had erased his history file in the analysis referenced above,
half the analysis would be at best much harder to perform. There is some
precedent with the trojaned versions of bash that some honeypot admins
use. 

A modified sshd is too easily replaced by a rootkit (as is a modified
bash, for that matter). 

Maybe a nice unobtrusive kernel module? One that "knows" how to identify
file descriptors that might be "interesting" and monitors all read/write
syscalls involving them. Is there anything currently out there that
resembles this notion at all?

-- 
Tony Kolstee
Systems Administrator/Trainer
__________________________________________________
I.D.E.A.L. Technology Corporation - Orlando Office
http://www.idealcorp.com - 407.999.9870 x10

Attachment: signature.asc
Description: This is a digitally signed message part