Re: honeypot

[Mark Hahn <MHahn () TCBTech com>]

At 01:16 AM 8/14/2003, thetic_1900 () hotmail com wrote:
> i would like to know can i setup my honeypot on a production network where i
> have a switch
>
> since a switch controls broadcast and say i have my honeypot setup and i
> have a snort setup as well
> how can i make sure all traffic is destined to touch the snort system in
> addition to the honepot

Good question, several answers.

A) Run snort on the honeypot. I presume that since you say "snort system"
you are envisioning running snort on a separate server and don't
want to do this.

B) Use Sebek2 to forward all incoming traffic on your honeypot
to your snort system, but you will need a Sebek sniffer on the snort
machine, and may not get real-time IDS with out effort.

C) Adapt a Gen-II architecture to do what you want:
        http://project.honeynet.org/papers/gen2/
        http://www.cse.sc.edu/~siripurh/content2.htm
(I.e. build a Linux machine to be a network layer 2 bridge to
your honeypot, then put snort on it and have it send alerts
out a third interface.)

D) Physically tap the Cat5 cable going into the honeypot and split
it to an interface on the snort system.

E) Some switches have low level settings to duplicate
traffic port or otherwise allow for monitoring.
        http://www.cisco.com/univercd/cc/td/doc/product/lan/cat4000/rel6_2/config/span.htm
(This is just choice "D" in firmware.)

-MpH

  --------
Mark P. Hahn, CISSP                 MHahn () TCBTech com
Chief Technical Officer             609 716 9320
TCB Technologies, Inc.              Princeton Junction, New Jersey, USA