Honeypots mailing list archives
Re: honeypot
From: Mark Hahn <MHahn () TCBTech com>
Date: Thu, 14 Aug 2003 09:35:58 -0400
At 01:16 AM 8/14/2003, thetic_1900 () hotmail com wrote:
i would like to know can i setup my honeypot on a production network where i have a switch since a switch controls broadcast and say i have my honeypot setup and i have a snort setup as well how can i make sure all traffic is destined to touch the snort system in addition to the honepot
Good question, several answers. A) Run snort on the honeypot. I presume that since you say "snort system" you are envisioning running snort on a separate server and don't want to do this. B) Use Sebek2 to forward all incoming traffic on your honeypot to your snort system, but you will need a Sebek sniffer on the snort machine, and may not get real-time IDS with out effort. C) Adapt a Gen-II architecture to do what you want: http://project.honeynet.org/papers/gen2/ http://www.cse.sc.edu/~siripurh/content2.htm (I.e. build a Linux machine to be a network layer 2 bridge to your honeypot, then put snort on it and have it send alerts out a third interface.) D) Physically tap the Cat5 cable going into the honeypot and split it to an interface on the snort system. E) Some switches have low level settings to duplicate traffic port or otherwise allow for monitoring. http://www.cisco.com/univercd/cc/td/doc/product/lan/cat4000/rel6_2/config/span.htm (This is just choice "D" in firmware.) -MpH -------- Mark P. Hahn, CISSP MHahn () TCBTech com Chief Technical Officer 609 716 9320 TCB Technologies, Inc. Princeton Junction, New Jersey, USA
Current thread:
- Sebek 2 compile issue Rick S. (Aug 13)
- honeypot thetic_1900 (Aug 14)
- Re: honeypot Mark Hahn (Aug 14)
- honeypot thetic_1900 (Aug 14)