Honeypots mailing list archives
Re: Know Your Enemy: GenII Honeynets
From: george chamales <george () overt org>
Date: Mon, 14 Apr 2003 15:46:59 -0500
Comments inline:
If I was a hacker and ran a sniffer on my hacked host to see what was going on and I saw *no* packets coming from myself. I would see ssh connectionsetc inbound but nothing outbound I would know *instantly* this wasincredibly suspicious. Perhaps even more suspicious than actually seeing theUDP packets because there would be a chance they'd get overlooked.
You're mistaken about the method Sebek2 uses to hide its packets. Sebek2 certainly doesn't hide all the packets that are sent out of thehoneypot because, as you point out, that would be highly suspicious. Sebek2
allows you to specify a source MAC OUI (organization unique identifier) when you load the module. The OUI is the number assigned to differentnetwork interface card manufacturers that is placed in the high three bytes of MAC addresses from that manufacturer. All of the packets that are generated by Sebek2 leave the host with the given OUI in the source MAC address. On the honeypot Sebek2 only hides the packets that have that spoofed OUI. As a result, Sebek2 will only hide traffic that was generated by the module and never
hide packets generated by normal traffic.One of the benefits of this method is that multiple Linux honeypots on the
network can be configured with Sebek2 and the same MAC OUI and none of them will be able to sniff the Sebek traffic on the network.Please feel free to contact Ed Balas if you have any more questions about
Sebek2. He's been the primary developer on the project.
Just thinking off the top of my head, the person who designed Sebek2 couldhave made it much more useful if instead of a predetermined mac addressbeing ignored, a predetermined port could be specified. This way you couldchoose an arbitrary port to have things report on such as 30519 orsomething, and have the logging facility listen for that port, while on thehoneypot itself all other traffic such as their SSH/IRC/etc connections would still be visible.
I don't think this is the best solution. It would be really easy for an attacker to run a tool that would send out udp packets from each port on the honeypot system and look for a port where traffic magically disappeared.
Don't mean to criticize but I've been using this GenII model for monthsalready (and I would guess others are too). I was really excited to see thearticle and hoping for something fresh and new! Just my $0.02
GenII Honeynets have been around for a while. What we've sought to do here is devote an entire paper to the methods and technology as opposed to a single section in KYE: Honeypots. Thanks for your input, george chamales http://honeynet.overt.org
Current thread:
- Re: Know Your Enemy: GenII Honeynets Michael Anuzis (Apr 15)
- Re: Know Your Enemy: GenII Honeynets george chamales (Apr 15)
- Re: Know Your Enemy: GenII Honeynets Mike Clark (Apr 15)
- <Possible follow-ups>
- Re: Know Your Enemy: GenII Honeynets Michael Anuzis (Apr 16)