Honeypots mailing list archives
New Solaris Honeypot Tool - RemoteBSM
From: Ryan Barnett <RCBarnett () hushmail com>
Date: 7 Feb 2003 20:59:34 -0000
I have finished the initial Whitepaper/Tool for a Solaris Honeypot replacement for the auditd daemon called RemoteBSM. RemoteBSM is essentially a modified version of BackLog (http://www.intersectalliance.com/projects/BackLogSolaris/Download/BackLogS ol.tar.gz) I have updated the code to make it more stealty - 1) Rename the RemoteBSM binary to a less conspicuous name, 2) The process will declare a bogus name for the running praudit tool in PS listings and, 3) It will forward all BSM audit data to a remote host to a specified UDP port. The remote logging host simply runs the RemoteBSM_listener.pl script to capture data. I have uploaded the webpage onto my Sourceforge Honeypots website and wanted to let you all start using/testing it. http://honeypots.sourceforge.net/Honeypotting_With_RemoteBSM.html I know that editing the RemoteBSM.c file directly and compiling works fine, but I am looking for feedback on issues with regards to the install.sh script, any problems with the RemoteBSM_listener.pl, etc... Any feedback would be appreciated :) ################################# Ryan C. Barnett Senior Security Engineer SANS: GCFA, GCIH, GCUX, GSEC http://honeypots.sourceforge.net #################################
Current thread:
- New Solaris Honeypot Tool - RemoteBSM Ryan Barnett (Feb 07)