Honeypots mailing list archives
Re: IDS and honeypots
From: Eric Arnoth <earnoth () comcast net>
Date: Wed, 30 Apr 2003 20:11:47 -0400
My tactic to capture all traffic to and from my honeypot. I have a box dedicated to the task on the wire, and simply run tcpdump against the honeypot's IP address. I've wrapped the command in a shell script and set it to write a set number of packets to a file. After the first tcpdump completes, the shell script starts up a second one. This allows me to catch any 0-day events there might be, and I can post-process the data any way I want (Snort, other NIDS, eyeballing with ethereal and color-coding, grep a tcpdump re-read, etc). I find it to be a very flexible approach. Here's the simple shell script I wrote: snooper7:21pm[146]> cat dumploop.sh #!/bin/sh tcpdump="/usr/sbin/tcpdump -s 2048 -c 10000 -i " interface="<dirty_interface> " outfile="-w outfile" extension="tcp" host=" host <honeypot_ip>" /sbin/ifconfig $interface up cd /usr/MyHoneyPot while : do date=`date +%Y%m%d.%H%M` $tcpdump$interface$outfile"."$date"."$extension$host done -- Eric I. Arnoth CISSP (http://www.isc2.org) earnoth () comcast net http://mywebpages.comcast.net/earnoth ¤ø,¸¸,ø¤º°*°º¤ø,¸¸,ø¤ø,¸¸,ø¤º°*°º¤ø,¸¸,ø¤ø,¸¸,ø¤º°*°º¤ø,¸¸,ø¤ø,¸¸,ø¤º°*°º¤ø,¸¸,ø On Wednesday 30 April 2003 08:28, rnoble wrote:
hi I'm investigating the idea of using the traffic captured by a honeypot (in theory all data should be suspicious) and filtering out legal traffic and traffic captured by existing misuse IDS signatures and using the remainder to automatically create new signatures in order to update IDS a IDS database does anyone know if this has been done before or any related work being done. also can anyone point me to any journal articles on honeypots etc. (already got all the honeynet whitepapers) lastly if anyone can think of blatent reasons why this should not or cannot work contact me: rnoble () petech ac za thanks
Current thread:
- IDS and honeypots rnoble (Apr 30)
- Re: IDS and honeypots Valdis . Kletnieks (Apr 30)
- Re: IDS and honeypots Niels Provos (Apr 30)
- Re: IDS and honeypots Christian Kreibich (May 01)
- Re: IDS and honeypots Eric Arnoth (Apr 30)
- Re: IDS and honeypots ramos (May 02)