PaulDotCom mailing list archives
Re: HoneyPorts (again)
From: Bill Swearingen <hevnsnt () i-hacked com>
Date: Thu, 19 Jul 2012 23:42:02 -0500
I would like to read it -- thanks! -Bill On Thu, Jul 19, 2012 at 11:38 AM, anthony kasza <anthony.kasza () gmail com>wrote:
I've got a brief write up about how I integrated John's and Paul's honeyport script into an Ubuntu based OSSEC environment. It provides a way for all OSSEC agents to blacklist an IP that connects to a single honeyport on a single OSSEC agent. The write up includes the modified honeyport script as well as custom OSSEC dissectors, rules, and configuration changes needed to set this up. If anyone is interested in reading it, let me know. -AK On Thu, Jul 12, 2012 at 1:36 PM, Chris Benedict <chrisbdaemon () gmail com> wrote:My project is mostly working, https://github.com/chrisbdaemon/BearTrap. I had to remove some of the functionality, but as a neat honeyport toolitshould work alright. It just hasn't really been used much yet. -Chris Benedict On Thu, Jul 12, 2012 at 8:50 AM, Doug Burks <doug.burks () gmail com>wrote:Hi Anthony, If you're planning on using OSSEC anyway, could you just have OSSEC monitor IPTables for any DROPs? Example fromhttp://securityonion.blogspot.com/2010/02/defense-in-depth-using-ossec-and-other.html :# Configure RHEL IPTables firewall to log any dropped packets to /var/log/messages to be monitored by OSSEC iptables -I RH-Firewall-1-INPUT 11 -j LOG --log-prefix="DROP " Thanks, Doug On Wed, Jul 11, 2012 at 6:32 PM, anthony kasza <anthony.kasza () gmail comwrote:Hi All, On 10/16/11 12:18 PM, Chris Benedict wrote this list about a honeyport project. Does anyone know if the project took off? I'm attempting to integrate the command line scripts that John and Paul talked about at last year's DerbyCon (see slide 38) into OSSEC's active-response. -AK _______________________________________________ Pauldotcom mailing list Pauldotcom () mail pauldotcom com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com-- Doug Burks http://securityonion.blogspot.com _______________________________________________ Pauldotcom mailing list Pauldotcom () mail pauldotcom com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com_______________________________________________ Pauldotcom mailing list Pauldotcom () mail pauldotcom com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com_______________________________________________ Pauldotcom mailing list Pauldotcom () mail pauldotcom com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
_______________________________________________ Pauldotcom mailing list Pauldotcom () mail pauldotcom com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
Current thread:
- HoneyPorts (again) anthony kasza (Jul 11)
- Re: HoneyPorts (again) John Strand (Jul 12)
- Re: HoneyPorts (again) Doug Burks (Jul 12)
- Re: HoneyPorts (again) anthony kasza (Jul 12)
- Re: HoneyPorts (again) Chris Benedict (Jul 12)
- Re: HoneyPorts (again) anthony kasza (Jul 19)
- Re: HoneyPorts (again) Bill Swearingen (Jul 19)
- Re: HoneyPorts (again) Xavier Mertens (Jul 19)
- Re: HoneyPorts (again) lonestarr13 (Jul 20)
- Re: HoneyPorts (again) John Strand (Jul 20)
- Re: HoneyPorts (again) Arch Angel (Jul 31)
- Re: HoneyPorts (again) anthony kasza (Jul 31)
- Re: HoneyPorts (again) Arch Angel (Jul 31)
- <Possible follow-ups>
- Re: HoneyPorts (again) Michael Johnson (Jul 20)