Honeypots mailing list archives

Previous By Date Next
Previous By Thread Next

Controlling a Honeynet Control/Containment Device

From: Rob McMillen <rvmcmil () cablespeed com>
Date: Mon, 21 Apr 2003 13:46:51 -0400 (EDT)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

How many of you have found the rc.firewall script hard to figure out?  
What variables need to be set to properly configure the firewall to 
contain/control your Honeynet?  Well, here is my first attempt at making 
it easier to use and deploy.  It is called honeyctl.sh, and you can 
download it from:

http://project.honeynet.org/papers/honeynet/tools/honeyctl.tgz

This tar ball consists of two files.  The script, honeyctl.sh, and the 
actual firewall rules, honeyctl.rules.  It will allow you to execute the 
following commands:

honeyctl.sh [command]

1. stop - This command will shutdown the gateway by flushing the ruleset 
and setting the default policy to DROP.  It will not affect the management 
interface.
2. status - This command will return a list of all firewall rules.
3. interface - This command will return network interface information.
4. bridge - This command will return bridge information.
5. reload - This reloads the previous gateway configuration.
6. zero - This zeroes the iptable chain packet and byte counters.
7. new - This command deletes previous configuration files and starts the 
interview process.
8. date - This provides the system date and time.
9. inline_status - Tells if snort_inline is running in daemon mode.
10. generate - This command generates the rc.firewall script via the use 
of an interview (without comments).
11. HELP - This command tells the user how to use the script and what each 
command means.

An added benefit, is the ability to remotely control the device remotely 
via a management interface.  By using ssh and this script, remote 
management becomes a reality.  Once you have ssh configured per your 
preferences, either public/private key or password, you can execute the 
script commands as follows (script must reside on device).

from a system that is not the honeynet firewall,

ssh root@device /root/honeyctl.sh [command]

the above command assumes the device name is device, and that the 
honeyctl.sh and honeyctl.rules files are located on the /root directory of 
the firewall.  All commands are available remotely.

Please give this a try and let me know what you think, good or bad.

Rob

-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.8
Comment: Made with pgp4pine 1.76

iQA/AwUBPqQuj/nAyY+9KLjdEQI0pgCg4CyvWpaGWpK85ym5/Ymz1IWGSX8AoNHc
zsODb90Du25vqy28kPh+1QPu
=T9If
-----END PGP SIGNATURE-----
Previous By Date Next
Previous By Thread Next

Current thread: