Re: Unwanted traffic in honeynet

[Diego Gonzalez Gomez <diego () dgonzalez net>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,

Martin Kristensen wrote:
| Hello everyone
| I thought the public_ip value set in the firewall scripts would stop
traffic
| that wasn't ment for the honeynet.

The HwPUBLIC_IP is used in the rc.firewall script mainly:
- - to determine how to configure incomming connections depending on the
mode used (Bridge or NAT).
- - to decide which IP is authorized to make DNS requests.
- - to limit the rate of OUTBOUND connections (a critical feature).

| Our honeypots have public ip's like xxx.xx.124.14 and xxx.xx.124.15 with a
| broadcast adress of xxx.xx.125.255.
| The 124 and 125 net are the same so that the prefix would be xxx.xx.125/24

If the range of IP addresses of your netwotk is (x.x.124.0 -
x.x.125.255), the prefix should not have to be x.x.124.0/23 ?

| But we're getting unwanted traffic in our snort logs. Traffic that
were ment
| for other computers on the same lan, like xxx.xx.124.89
| Have we configured something wrong in the scripts? Anyone experienced the
| same?

If you just want to record snort alerts only for your honeypots, you can:
- - configure the Snort HOME_NET variable with their IP addresses, i.e.
[xxx.xx.124.14,xxx.xx.124.15]
- - modify the set of "Inbound TCP/UDP/ICMP" iptables rules in the
rc.firewall script to accept traffic only destined for your honeypots.
Be careful if you choose this option, and be sure that the new rules are
correctly applied using iptables. ;)


Regards,
Diego
http://www.dgonzalez.net
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFCZPM2tNKxgBkNOF4RAiS5AJ0QKEuk1giUsaYwoKpQO+Dtuc/1tgCdE83v
DZyI09/PY8EHsBmgRHRhk08=
=2jpK
-----END PGP SIGNATURE-----