Re: Some questions about my first honeypot

[Thorsten Holz <thorsten.holz () mmweg rwth-aachen de>]

On Do 08 Apr 2004 17:34:21 CEST x0x () ukshells co uk wrote:

> 2. Logging. Obviously im looking to gather as much information to
> learn from as possible but not being familiar with hidden keyloggers,
> etc all I dont have anything running directly on the honeypot to log
> sessions and instead just have a snort rule on the slack box to log
> everything which originates from eth2 (the honeypot network). What im
> a little concerned about though is that if the attack enters the box
> through SSH the session will be encrypted and i wont be able to gain
> any information from the conversation. Is there anything I could look
> into do get around this ?

Take a look at Sebek: http://honeynet.org/tools/sebek/

> 3. As its only been 1 day since ive had it live, activity has been
> pretty minimal however should an intruder break in and start using the
> box as a base to scan from I could be in big trouble with my ISP, is
> there anyway I can limit connections outbound from the honeypot so
> thats its not obvious to the intruder something is wrong, but protects
> me from unknowingly participating in some DoS attack?

You can use iptables' "limit" option in order to shape traffic. 
Another option is snort_inline (http://snort-inline.sf.net/), an
intrusion prevention system.

HTH,
  Thorsten

Attachment: _bin
Description: