Honeypots mailing list archives

Re: honeypot+ids?

From: Kostas K <acezerocool () yahoo com>
Date: 13 Aug 2003 13:58:05 -0000

In-Reply-To: <Pine.BSO.4.51.0308111504250.26862 () naughty monkey org>

Hello again,

How about doing that in windows 2000 pro.

I don't think i can use my router as a computer at least i do not know how.

Do you know how to monitor my dialup modem with snort i use the snort -W command
and nothing occurs. Soon i will have ISDN where the modem connects at the serial.

Any suggestions please!

Thanx in advance.

Mailing-List: contact honeypots-help () securityfocus com; run by ezmlm
Precedence: bulk
Date: Mon, 11 Aug 2003 15:05:02 -0400 (EDT)
From: Jose Nazario <jose () monkey org>
To: Patrick Dolan <dolan () cc admin unt edu>
Cc: honeypots () securityfocus com
Subject: Re: honeypot+ids?
In-Reply-To: <200308111400.13796.dolan () cc admin unt edu>
Message-ID: <Pine.BSO.4.51.0308111504250.26862 () naughty monkey org>
References: <20030811183040.25770.qmail () www securityfocus com>
<200308111400.13796.dolan () cc admin unt edu>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII

On Mon, 11 Aug 2003, Patrick Dolan wrote:

I find it easiest to set up the router/switch as a computer rather than
just a piece of hardware.  OpenBSD, for instance, has good capabilities
for packet filtering.  With this method, you can run the IDS on the
router and have it listen to the internal interface.  I've used OpenBSD
in combination with Snort for this scenario and it works well.


log all packets that come through and have snort listen on pflog0 or use
the pf command "dup-to" to duplicate packets to the sensor. easy as pie.

___________________________
jose nazario, ph.d.                    jose () monkey org
                                      http://monkey.org/~jose/

Current thread:

honeypot+ids? Kostas K (Aug 11)
- Re: honeypot+ids? Patrick Dolan (Aug 11)
  - Re: honeypot+ids? Jose Nazario (Aug 11)
- <Possible follow-ups>
- Re: honeypot+ids? Kostas K (Aug 13)