Re: Know Your Enemy: GenII Honeynets

[george chamales <george () overt org>]

Comments inline:

> If I was a hacker and ran a sniffer on my hacked host to see what was 
> going
> on and I saw *no* packets coming from myself. I would see ssh 
> connections
> etc inbound but nothing outbound I would know *instantly* this was
> incredibly suspicious. Perhaps even more suspicious than actually 
> seeing the
> UDP packets because there would be a chance they'd get overlooked.

You're mistaken about the method Sebek2 uses to hide its packets.
Sebek2 certainly doesn't hide all the packets that are sent out of the
honeypot because, as you point out, that would be highly suspicious.  
Sebek2
allows you to specify a source MAC OUI (organization unique identifier)
when you load the module.  The OUI is the number assigned to different
network interface card manufacturers that is placed in the high three 
bytes of
MAC addresses from that manufacturer.  All of the packets  that are 
generated
by Sebek2 leave the host with the given OUI in the source MAC address.  
On
the honeypot Sebek2 only hides the packets that have that spoofed OUI.  
As a
result, Sebek2 will only hide traffic that was generated by the module 
and never
hide packets generated by normal traffic.

One of the benefits of this method is that multiple Linux honeypots on 
the
network can be configured with Sebek2 and the same MAC OUI and none of
them will be able to sniff the Sebek traffic on the network.

Please feel free to contact Ed Balas if you have any more questions 
about
Sebek2.  He's been the primary developer on the project.

> Just thinking off the top of my head, the person who designed Sebek2 
> could
> have made it much more useful if instead of a predetermined mac address
> being ignored, a predetermined port could be specified. This way you 
> could
> choose an arbitrary port to have things report on such as 30519 or
> something, and have the logging facility listen for that port, while 
> on the
> honeypot itself all other traffic such as their SSH/IRC/etc connections
> would still be visible.

I don't think this is the best solution.  It would be really easy for an
attacker to run a tool that would send out udp packets from each port on
the honeypot system and look for a port where traffic magically
disappeared.

> Don't mean to criticize but I've been using this GenII model for months
> already (and I would guess others are too). I was really excited to 
> see the
> article and hoping for something fresh and new!  Just my $0.02

GenII Honeynets have been around for a while.  What we've sought to do
here is devote an entire paper to the methods and technology as opposed
to a single section in KYE: Honeypots.

Thanks for your input,

george chamales
http://honeynet.overt.org