PaulDotCom mailing list archives
Re: HoneyPorts (again)
From: Arch Angel <arch3angel () gmail com>
Date: Mon, 30 Jul 2012 23:45:58 -0400
I think the community has spoken, we all want to read it :-) -- Thank you, Robert Miller http://www.armoredpackets.com Twitter: @arch3angel On 7/19/2012 12:38 PM, anthony kasza wrote:
I've got a brief write up about how I integrated John's and Paul's honeyport script into an Ubuntu based OSSEC environment. It provides a way for all OSSEC agents to blacklist an IP that connects to a single honeyport on a single OSSEC agent. The write up includes the modified honeyport script as well as custom OSSEC dissectors, rules, and configuration changes needed to set this up. If anyone is interested in reading it, let me know. -AK On Thu, Jul 12, 2012 at 1:36 PM, Chris Benedict <chrisbdaemon () gmail com> wrote:My project is mostly working, https://github.com/chrisbdaemon/BearTrap. I had to remove some of the functionality, but as a neat honeyport tool it should work alright. It just hasn't really been used much yet. -Chris Benedict On Thu, Jul 12, 2012 at 8:50 AM, Doug Burks <doug.burks () gmail com> wrote:Hi Anthony, If you're planning on using OSSEC anyway, could you just have OSSEC monitor IPTables for any DROPs? Example from http://securityonion.blogspot.com/2010/02/defense-in-depth-using-ossec-and-other.html: # Configure RHEL IPTables firewall to log any dropped packets to /var/log/messages to be monitored by OSSEC iptables -I RH-Firewall-1-INPUT 11 -j LOG --log-prefix="DROP " Thanks, Doug On Wed, Jul 11, 2012 at 6:32 PM, anthony kasza <anthony.kasza () gmail com> wrote:Hi All, On 10/16/11 12:18 PM, Chris Benedict wrote this list about a honeyport project. Does anyone know if the project took off? I'm attempting to integrate the command line scripts that John and Paul talked about at last year's DerbyCon (see slide 38) into OSSEC's active-response. -AK _______________________________________________ Pauldotcom mailing list Pauldotcom () mail pauldotcom com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com-- Doug Burks http://securityonion.blogspot.com _______________________________________________ Pauldotcom mailing list Pauldotcom () mail pauldotcom com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com_______________________________________________ Pauldotcom mailing list Pauldotcom () mail pauldotcom com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com_______________________________________________ Pauldotcom mailing list Pauldotcom () mail pauldotcom com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
_______________________________________________ Pauldotcom mailing list Pauldotcom () mail pauldotcom com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
Current thread:
- HoneyPorts (again) anthony kasza (Jul 11)
- Re: HoneyPorts (again) John Strand (Jul 12)
- Re: HoneyPorts (again) Doug Burks (Jul 12)
- Re: HoneyPorts (again) anthony kasza (Jul 12)
- Re: HoneyPorts (again) Chris Benedict (Jul 12)
- Re: HoneyPorts (again) anthony kasza (Jul 19)
- Re: HoneyPorts (again) Bill Swearingen (Jul 19)
- Re: HoneyPorts (again) Xavier Mertens (Jul 19)
- Re: HoneyPorts (again) lonestarr13 (Jul 20)
- Re: HoneyPorts (again) John Strand (Jul 20)
- Re: HoneyPorts (again) Arch Angel (Jul 31)
- Re: HoneyPorts (again) anthony kasza (Jul 31)
- Re: HoneyPorts (again) Arch Angel (Jul 31)
- <Possible follow-ups>
- Re: HoneyPorts (again) Michael Johnson (Jul 20)