Honeypots mailing list archives
Re: Some questions about my first honeypot
From: Thorsten Holz <thorsten.holz () mmweg rwth-aachen de>
Date: Fri, 09 Apr 2004 13:45:50 +0200
On Do 08 Apr 2004 17:34:21 CEST x0x () ukshells co uk wrote:
2. Logging. Obviously im looking to gather as much information to learn from as possible but not being familiar with hidden keyloggers, etc all I dont have anything running directly on the honeypot to log sessions and instead just have a snort rule on the slack box to log everything which originates from eth2 (the honeypot network). What im a little concerned about though is that if the attack enters the box through SSH the session will be encrypted and i wont be able to gain any information from the conversation. Is there anything I could look into do get around this ?
Take a look at Sebek: http://honeynet.org/tools/sebek/
3. As its only been 1 day since ive had it live, activity has been pretty minimal however should an intruder break in and start using the box as a base to scan from I could be in big trouble with my ISP, is there anyway I can limit connections outbound from the honeypot so thats its not obvious to the intruder something is wrong, but protects me from unknowingly participating in some DoS attack?
You can use iptables' "limit" option in order to shape traffic. Another option is snort_inline (http://snort-inline.sf.net/), an intrusion prevention system. HTH, Thorsten
Attachment:
_bin
Description:
Current thread:
- Some questions about my first honeypot x0x (Apr 08)
- Re: Some questions about my first honeypot Thorsten Holz (Apr 09)
- Re: Some questions about my first honeypot Valdis . Kletnieks (Apr 12)
- <Possible follow-ups>
- Re: Some questions about my first honeypot Graeme Connell (Apr 09)
- RE: Some questions about my first honeypot Andy Streule (Apr 20)
- Re: Some questions about my first honeypot Thorsten Holz (Apr 09)