Honeypots mailing list archives

Previous By Date Next
Previous By Thread Next

Brcontrol: New tool for implementing aggressive Honeypot techniques

From: "Elcesar" <elcesar () elcesar net>
Date: Tue, 13 Jan 2004 20:33:47 +0100

The "GenII Honeynets" proposed by the Honeynet project, shows us what
they call the "HoneyWall Gateway", a bridge to log the activity going to
their honeypots, and with some filter capabilities in order to drop
unwanted traffic originated from those machines for example.

For most cases, the ideal Gateway will be a device capable of
diferenciate legitimate users, allowing them to access the production
machines,  from malicious ones, redirecting them to a Honeynet. Let's
call it BrControl, the Security Controller.

Of course this must be achieved in a complete transparent way, so
potential attackers don't notice when they are redirected.

We know how to implement a GenII Honeynet with  snort-inline and
iptables in bridge mode. What we want for BrControl can be done with
this tools if we can set up some comunication between them.

Instead of dropping or rejecting the packet in userspace, it  can be
done with the firewall easily,  we want the IDS to diferenciate the
malicious traffic for us., setting up some kind of mark that we can use
in a iptables rule to send the traffic to production or to the honeynet.

The linux kernel, has this kind of mark, but we need to patch it to
allow setting it from userspace.

So we could now set a new kind of rules, a "mark" target in the snort
configuration files will tell which traffic should be sent to the
honeynet.  It requires some modifications to the ip_queue library and
header and of course to the snort-inline source.

At this point, the Brcontrol, upon receiving a packet, matches the
standar QUEUE target in the input chain of the firewall, get matched
against the snort rules with the brand new "mark" target.

Those marked packets, can be the target of another iptables rule in the
POSTROUTING chain, in order to drop, reject, log, tarpit, or whatever ,
all the logic can be defined with the firewall. giving us full control
of the process.


We'll try to write a more complete document in the next few days, as
well as a sample firewall script. You can download now kernel, iptables
and snort_inline patches in http://sourceforge.net/projects/brcontrol/


Of course there are a lot of thinks that can be done with this idea.
It's now on a early stage of development but it works. Comments,
feedback and more ideas are welcome.



                                                Cesar  Tascon Alvarez
                                                Javier Espasa Arbeteta
                                                Aritz  Aldabe Iza
Previous By Date Next
Previous By Thread Next

Current thread: