Re: IDS and honeypots

[Eric Arnoth <earnoth () comcast net>]

My tactic to capture all traffic to and from my honeypot.  I have a box 
dedicated to the task on the wire, and simply run tcpdump against the 
honeypot's IP address.  I've wrapped the command in a shell script and set it 
to write a set number of packets to a file.  After the first tcpdump 
completes, the shell script starts up a second one.

This allows me to catch any 0-day events there might be, and I can 
post-process the data any way I want (Snort, other NIDS, eyeballing with 
ethereal and color-coding, grep a tcpdump re-read, etc).  

I find it to be a very flexible approach.  Here's the simple shell script I 
wrote:

snooper7:21pm[146]> cat dumploop.sh
#!/bin/sh
tcpdump="/usr/sbin/tcpdump -s 2048 -c 10000 -i "
interface="<dirty_interface> "
outfile="-w outfile"
extension="tcp"
host=" host <honeypot_ip>"
/sbin/ifconfig $interface up
cd /usr/MyHoneyPot
while :
do
        date=`date +%Y%m%d.%H%M`
        $tcpdump$interface$outfile"."$date"."$extension$host
done


-- 
Eric I. Arnoth    CISSP (http://www.isc2.org)        
earnoth () comcast net                
http://mywebpages.comcast.net/earnoth
¤ø,¸¸,ø¤º°*°º¤ø,¸¸,ø¤ø,¸¸,ø¤º°*°º¤ø,¸¸,ø¤ø,¸¸,ø¤º°*°º¤ø,¸¸,ø¤ø,¸¸,ø¤º°*°º¤ø,¸¸,ø

On Wednesday 30 April 2003 08:28, rnoble wrote:
> hi
> I'm investigating the idea of using the traffic captured by a honeypot (in
> theory all data should be suspicious) and filtering out legal traffic and
> traffic captured by existing misuse IDS signatures and using the remainder
> to automatically create new signatures in order to update IDS a IDS
> database
>
> does anyone know if this has been done before or any related work being
> done. also can anyone point me to any journal articles on honeypots etc.
> (already got all the honeynet whitepapers)
>
> lastly if anyone can think of blatent reasons why this should not or cannot
> work
>
> contact me: rnoble () petech ac za
> thanks