Re: logging facility

[Ryan Barnett <RCBarnett () hushmail com>]

In-Reply-To: <1062109619.3f4e81b381df4 () webmail visi com>

> From: urbn () visi com
>
> What if someone compromised your honeypot, and then monitored any SSL 
traffic 
> that was decrypted?  Common sense would tell me to keep these logs (the 
> decrypted SSL traffic) on a separate system, but then why even have your 
> honeypot decrypt it first. Better off just sending the encrypted packets 
to the 
> system that will be logging it anyways.
>
> Or am I missing something here?

The key element here is that blackhats are including encryption 
communication tools as part of their rootkits.  This can range from 
modified ssh daemons to SSL enabled web servers to custom encryption tools 
utilizing seldomly used protocols (see the Honeynet Project's SoTM Reverse 
Challenge and SoTM Scan 22 - http://www.honeynet.org/scans/scan22/).

If the attackers would be nice enough to use our honeypot services, sush 
as ssh, then we could just log the encryped data to a remote host.  This 
would work because we would have the appropriate decryption keys for the 
data.  Unfortunately, blackhats are not so kind...  

Since they will most likely use their own tools, we are forced to log the 
decrypted data at the host level rather than the network level.  With 
tools such as sebek or other kernel keyloggers, we can capture all of the 
data once it has passed through the blackhats decryption algorithms - and 
then send it off to a remote host for safe keeping.

Hope this helps.

-Ryan