Honeypots mailing list archives
Re: Honeypot and AntiVirus
From: J Bailes <jbailes () parasys com>
Date: 18 Dec 2003 17:08:47 -0000
In-Reply-To: <3FE0CFE9.2030500 () gawab com> Thanks for the reply. I have tried logging in the guest OS/honeypot but IRIS wouldn't function properly. When I trid to decode the captured packets, IRIS would freeze up, so to speak. The AV is cleaning the logs when I try to view a decoded packet in IRIS; e.g. 192.168.1.101 <1433> - when I tried to view the data the AV cleaned it before IRIS had a chance to display it. I don't believe the actual binary ever made to the honeypot as that port was protected. As far seperating my systems for logging and analysis is concerned, that day is coming shortly. I had to give up my Top Secret Computer Lab with 4 machines (a.k.a. bedroom #3) to make room for twins. I am currently limited to one PC in another room. Another person mentioned that it would probably be OK to disable the real-time scanning feature of the AV to avoid having my packet logs cleaned when I accessed them. Thanks again! J. ************************************************************************** Hi J, Comments inline...... J Bailes wrote:
1) Can I set my AV to prevent this without risking compromise to my host OS where
the analysis will be performed?
If i have understood the question..... your av cleans the logs when you access the binary files (i am asuming). the i guess the simplest solution to this would be to store the binary file in a directory and then configure the av to exempt that directory from scans. or else you could dynamically log to a different system or to the native os of vmware..... i dont know if i did answer your question.
2) Can an analysis be performed with mitigated risk of compromise to the machine
running the analysis?
It works best when the analysis, logging system are physically differnt machines. You can easily get rid of these small teething problems...... Hope i got it right ?? write back. -dev
Current thread:
- Honeypot and AntiVirus J Bailes (Dec 17)
- Re: Honeypot and AntiVirus Devilscrow Sr (Dec 17)
- <Possible follow-ups>
- Re: Honeypot and AntiVirus J Bailes (Dec 18)
- Re: Honeypot and AntiVirus Devilscrow Sr (Dec 19)
- Re: [mailinglists] Re: Honeypot and AntiVirus KeyFocus (Dec 19)
- Re: [mailinglists] Re: Honeypot and AntiVirus sejhre (Dec 19)