Honeypots mailing list archives
Re: Unwanted traffic in honeynet
From: Diego Gonzalez Gomez <diego () dgonzalez net>
Date: Tue, 19 Apr 2005 14:01:58 +0200
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi, Martin Kristensen wrote: | Hello everyone | I thought the public_ip value set in the firewall scripts would stop traffic | that wasn't ment for the honeynet. The HwPUBLIC_IP is used in the rc.firewall script mainly: - - to determine how to configure incomming connections depending on the mode used (Bridge or NAT). - - to decide which IP is authorized to make DNS requests. - - to limit the rate of OUTBOUND connections (a critical feature). | Our honeypots have public ip's like xxx.xx.124.14 and xxx.xx.124.15 with a | broadcast adress of xxx.xx.125.255. | The 124 and 125 net are the same so that the prefix would be xxx.xx.125/24 If the range of IP addresses of your netwotk is (x.x.124.0 - x.x.125.255), the prefix should not have to be x.x.124.0/23 ? | But we're getting unwanted traffic in our snort logs. Traffic that were ment | for other computers on the same lan, like xxx.xx.124.89 | Have we configured something wrong in the scripts? Anyone experienced the | same? If you just want to record snort alerts only for your honeypots, you can: - - configure the Snort HOME_NET variable with their IP addresses, i.e. [xxx.xx.124.14,xxx.xx.124.15] - - modify the set of "Inbound TCP/UDP/ICMP" iptables rules in the rc.firewall script to accept traffic only destined for your honeypots. Be careful if you choose this option, and be sure that the new rules are correctly applied using iptables. ;) Regards, Diego http://www.dgonzalez.net -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.5 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFCZPM2tNKxgBkNOF4RAiS5AJ0QKEuk1giUsaYwoKpQO+Dtuc/1tgCdE83v DZyI09/PY8EHsBmgRHRhk08= =2jpK -----END PGP SIGNATURE-----
Current thread:
- Unwanted traffic in honeynet Martin Kristensen (Apr 19)
- Re: Unwanted traffic in honeynet Diego Gonzalez Gomez (Apr 19)