Security Incidents mailing list archives

Re: [ANNOUNCE] protocol watcher

From: Andrew Simmons <andrews () mis-cds com>
Date: Tue, 27 May 2003 13:04:13 +0100

Jerry Shenk wrote:


Is it possible to get LaBrea to use unused ports on a single IP address.  I
think it just does entire unused IP addresses.

This reminds me of an interesting article on setting up a cheap andcheerful honeypot using a couple of simple shell scripts and netcat whichmay or may not be of use to the original poster...?



http://www.securityhorizon.com/whitepapers/technical/honeypot.html

In a nutshell, the scripts start netcat processes listening on varioussignificant ports. An elegant solution showing the power of netcat...I'm sure I saw a more detailed article along the same lines on anothersite, but of course I can't locate the URL now.

Netcat will only log TCP or UDP connections. For ICMP and other moreunusual IP protocols you'll need a full-blown firewall.


cheers,


\a

-----Original Message-----
From: Anders Reed Mohn [mailto:anders_rm () utepils com]
Sent: Friday, May 23, 2003 5:06 AM
To: incidents () securityfocus com; Justin Pryzby
Subject: Re: [ANNOUNCE] protocol watcher



----- Original Message -----
From: "Justin Pryzby" <justinpryzby () users sourceforge net>
To: <incidents () securityfocus com>
Sent: Wednesday, May 21, 2003 11:00 PM
Subject: [ANNOUNCE] protocol watcher

I emailed the list previously asking if anyone knew of a way to
automatically accept and log all connections to a computer.  My thanks
to all that replied; unfortunately, I was unable to find exactly what I
wanted.  Since then, it occurred to me that this piece of software would
not be hard to write, so, three attempts later, it is written.



Would this be anything similar to Tom Listons excellent LaBrea?
http://labrea.sourceforge.net/labrea-info.html

Cheers,
Anders :)





The information contained in this message or any of its attachments may be privileged and confidential and intended for 
the exclusive use of the addressee. If you are not the addressee any disclosure, reproduction, distribution or other 
dissemination or use of this communications is strictly prohibited.  The views expressed in this e-mail are those of 
the individual and not necessarily of MIS Corporate Defence Solutions Ltd.  Any prices quoted are only valid if 
followed up by a formal written quote.  If you have received this transmission in error, please contact our Security 
Manager on 44 (0) 1622 723410.


----------------------------------------------------------------------------
----------------------------------------------------------------------------

Current thread:

[ANNOUNCE] protocol watcher Justin Pryzby (May 22)
- RE: [ANNOUNCE] protocol watcher Jerry Shenk (May 22)
- Re: [ANNOUNCE] protocol watcher Anders Reed Mohn (May 23)
  - RE: [ANNOUNCE] protocol watcher Jerry Shenk (May 26)
    - Re: [ANNOUNCE] protocol watcher Andrew Simmons (May 27)
- <Possible follow-ups>
- Re: [ANNOUNCE] protocol watcher Justin Pryzby (May 23)