OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Andrew Lamb (alamblucidic.net)
Date: Thu Mar 28 2002 - 15:41:05 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Some more thoughts on the topic

    >how does one comprimise something they cannot see?? especially from
    >remote, usually if the box is correctly configured it will not decrement
    >the TTL which is generally the only real way to tell youve just passed
    >through something. also you could snip the send ping on the nic cable so
    >it only has the capability to listen to the wire in "invisible mode"

    Excellent idea. For all intensive purposes, this system would be fully cloaked. However, that's no excuse to not check it's own logs for any suspicous activity. Make sure that even things such as ARP caching are disabled, so that the blackhat intruder doesn't find the IDS system's MAC address in your honeypot(s).

    >another technique is to use a passive bridging firewall/IDS again no ips
    >assigned but the box MUST be correctly configured
    >
    >> you can read everywhere that the IDS system should be heavily
    >> fortified. If the NIC of the IDS is only up (no IP assigned), is it
    >> still possible that the box gets compromised?
    >> If yes, how does the attacker "find" the machine?

    In my latest paper, I talk about disabling a Host OS's interface, and sniffing on the Guest's virtual interface. The Host collects all the packet data from the virtual interface, while not giving away it's existence. Visit www.lucidic.net/alamb-3-2002.html for the proof-of-concept.

    >> Also an IDS system imho just needs to get data, not send them (at
    >> least on the outbound interface). So the fw drops all outbound
    >> traffic... doesn't that make an intrusion impossible, too?

    Yes, assuming the firewall is run on the allready disabled/secured interface of the IDS. Again, my paper touches on the use of virtual machines to preform this all in a single physical machine.

    __________________________________________________
    D O T E A S Y - "Join the web hosting revolution!"
                 http://www.doteasy.com

    ---------------------------------------------------------------------
    To unsubscribe, e-mail: honeypots-unsubscribesecurityfocus.com
    For additional commands, e-mail: honeypots-helpsecurityfocus.com
    ---------------------------------------------------------------------
    This list is provided by the SecurityFocus Security Intelligence Alert
    (SIA) Service. For more information on SecurityFocus' SIA service
    which automatically alerts you to the latest security vulnerabilities.
    Please, see: https://alerts.securityfocus.com/