One thing you could try is simply to add

    *.* dummyhost

somewere in your /etc/syslog.conf. (the dummyhost need to answer to arp
requests or your packet will not get out of your honeypot). With this
modification, your snort will be able to capture every syslog entries
that pass
on the wire (yes you need a hub...) and you won't loose anything. If you
want
to have more fun: replace your dummyhost by a real server on your local
network
and watch your intruder try to break into the other server.

This technic was used in the Lance's original honeynet site and it's
working
fine!

Cerebraljam

Warchild wrote:

> One obvious and popular alternative is to use modified shells (bash) that
> log all keystrokes to syslog. This is all good until they either nuke your
> logs (I really, really hate that), or just happen to use a shell other than
> bash to "do the deed." I can overcome half of that by logging to a remote
> syslog server, but that's ineffective when syslogd gets killed.

---------------------------------------------------------------------
To unsubscribe, e-mail: honeypots-unsubscribesecurityfocus.com
For additional commands, e-mail: honeypots-helpsecurityfocus.com
---------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert
(SIA) Service. For more information on SecurityFocus' SIA service
which automatically alerts you to the latest security vulnerabilities.
Please, see: https://alerts.securityfocus.com/

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]