PaulDotCom mailing list archives

Re: portable honeyport tool waiting for a name

From: John Strand <strandjs () gmail com>
Date: Tue, 18 Oct 2011 05:37:19 -0600

Also, keep in mind there is a difference between Low Interaction Honeypots
and High Interaction Honeypots.

If you are going to go with Honeypots as part of your security posture, go
with something that is limited and easy to deploy.

If you are researching how attacks work go with High Interaction
Honeypots....  Or go to your uncles house and remove the malware that got
their due to his massive porn habit.  Whichever works for you.

On Mon, Oct 17, 2011 at 6:10 AM, Ron Gula <rgula () tenable com> wrote:

I enjoy using Honeypots, but over the years have seen a lot of
organizations get burnt by running honeypots that made their network less
secure.

One approach I really like is to use a technology such as what you have
written, or reuse another more common technology such as netcat or apache
and use NAT firewall rules to create many interactive honeypots across your
network that are all sent to one spot. This makes it easier to secure and
monitor.

Ron Gula


-----Original Message-----
From: pauldotcom-bounces () mail pauldotcom com [mailto:
pauldotcom-bounces () mail pauldotcom com] On Behalf Of Chris Benedict
Sent: Sunday, October 16, 2011 12:19 PM
To: pauldotcom () mail pauldotcom com
Subject: [Pauldotcom] portable honeyport tool waiting for a name

After listening to the pdc guys talk about "honeyports" on the pdc podcast
I decided to run with the idea a bit further.  I'm not sure if this has been
done yet or not, but I've written a program in Ruby to implement honeyports
with some extra features thrown into the mix.  For info on honeyports check
out john strand's tech segments on episodes 203 and 204 of the pdc podcast.

You can use a raw tcp listener (netcat-style) to trigger blacklisting or
you can write modules to emulate a ftp server or web server or whatever that
can, for instance, give a banner and version info but blacklist on attempted
logins.  When a host trips one of the alarms it broadcasts a signed udp
alert to all the other hosts on the lan so they can act on it also.  Alerts
can be handled by different modules too, so far I have only written a
commandline module that simply executes a command with an ip address as an
argument that you can use to insert an ip into a blacklist table in pf for
instance.  Something like a syslog or mysql module wouldn't be too difficult
to write.

As far as making it secure goes, it has some more work to be done.
 Broadcasted alerts are cryptographically signed and verified but I need to
implement some stuff to prevent replay attacks and I need to add in
whitelisting and thresholding to make it more difficult to use as a weapon
against the user's own network.

So, I've tried to make the code all very modular so its functionality can
be tweaked or extended pretty well (the sky should be the limit).  The
end-goal is to come up with some code that you can drop onto every box on a
lan that can run a ruby interpreter (jruby for instance).  It would make the
entire network go dark once an attacker starts grabbing banners or
connecting to ports.

This is going to be my first project to be released and it doesn't have a
name yet.  So, if anyone has any ideas for a name send them my way.  Once I
have it named I will put it in a public repo on github with a BSD license
for anyone to get to and contribute.

-Chris Benedict

_______________________________________________
Pauldotcom mailing list
Pauldotcom () mail pauldotcom com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com
_______________________________________________
Pauldotcom mailing list
Pauldotcom () mail pauldotcom com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com




-- 
John Strand
Office: (605) 550-0742
Cell: (303) 710-1171

_______________________________________________
Pauldotcom mailing list
Pauldotcom () mail pauldotcom com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com

Current thread:

portable honeyport tool waiting for a name Chris Benedict (Oct 16)
- Re: portable honeyport tool waiting for a name Ron Gula (Oct 18)
  - Re: portable honeyport tool waiting for a name John Strand (Oct 18)
- Re: portable honeyport tool waiting for a name Lester Nichols (Oct 18)
- Re: portable honeyport tool waiting for a name Larry Pesce (Oct 21)
  - Re: portable honeyport tool waiting for a name Christopher Croad (Oct 21)
  - Re: portable honeyport tool waiting for a name Jim Halfpenny (Oct 21)
  - Re: portable honeyport tool waiting for a name Ron Gula (Oct 21)
    - Re: portable honeyport tool waiting for a name Jim Halfpenny (Oct 21)
    - Re: portable honeyport tool waiting for a name Tim Krabec (Oct 21)
    - Re: portable honeyport tool waiting for a name John Strand (Oct 21)
    - Re: portable honeyport tool waiting for a name Ty Purcell (Oct 21)
    - Re: portable honeyport tool waiting for a name Jim Halfpenny (Oct 21)

(Thread continues...)