Good day, all,

On Thu, 9 May 2002, William Stearns wrote:

> My ideal honeypot would include the ability to monitor what the
> attacker was doing; what are they typing and what do they see on their
> screen. Up until now, to the best of my knowledge, the best solutions
> have been to patch bash to log keystrokes, and to monitor the data streams
> with snort and view them after the fact. The first approach only shows
> keystrokes, but not screen output, and is also dependent on replacing
> bash. The second approach fails if the attacker encrypts their traffic
> over the wire.
> A third (not necessarily better, but different) approach is to get
> the kernel to log all data traveling over the pty to a file. In this
> patch to a User-Mode Linux [1] kernel, the kernel logs all keystrokes and
> screen output, even if the user is encrypting their traffic! No
> modifications to userspace applications are needed. The log files are
> stored on the hosts hard drive, so the attacker can't delete them, and no
> applications inside UML can tell they're being logged. You can monitor
> the attacker in real time with tail -f on the log file. Although all
> normal keystrokes show up twice in the log file to do so, this even
> captures passwords which are not echoed to the screen. Seperate ptys
> (pty1, pty2, etc.) are logged to different files, but the files are reused
> when someone logs out and then logs back in on the same pty.
>
> *smile*
>
> There are a number of different ways the logging could be
> accomplished; seperate I and O log files, timestamps added or not,
> sessions broken out to different files, etc. We propose this as a
> starting point for further customization and don't suggest that it's
> perfect for everyone. We chose this format to start for the reasons
> listed above and for simplicity.

        Jeff has taken the time to update the code so that the new patch
logs each individual session to its own file (as opposed to the old method
which dropped every session that happened to come in on pts0 in a single
file called pts-0). The filename used is the timestamp of the opening
read or write call, down to the millisecond level to avoid overlap. These
should sort nicely in a directory listing.
        The only side effect is that each of the boot time kernel messages
is written in such a way that each line of output is logged to its own
file. You need to clean out a bunch of small "sessions" unless you really
like reading kernel boot messages. :-)

> Like the Linux kernel and UML code it patches, this code is
> released under the GPL. It's Copyright 2002, Jeff Dike
> <jdikekaraya.com>. The work was funded by ISTS.
> The only method we're aware of to circumvent the logging would be
> for the attacker to install a replacement shell that accepts encrypted
> commands and executes them. Note that simply coming into the system with
> a standard or trojaned version of ssh is not enough to hide one's actions;
> the patch pulls its keystrokes and screen output from the pty terminal
> driver.
> The patch does not, in its current form, capture all traffic over
> network sockets, fifo's etc. It could be modified to do so, but this
> runs a much larger risk of the attacker overflowing the logging space on
> the host drive.
> The permanent location for this patch is
> http://www.stearns.org/patches/ . The current version of this patch is
> called 2.4.19-uml-logging-patch .

        The new version will be out to the mirrors within 10 minutes. It
is called 2.4.19-uml-logging-patch-2 .
        Cheers,
        - Bill

> [1] http://user-mode-linux.sourceforge.net

---------------------------------------------------------------------------
        perl -le '$_="6110>374086;2064208213:90<307;55";tr[0->][ LEOR!AUBGNSTY];print'
(Courtesy of George Bakos)
--------------------------------------------------------------------------
William Stearns (wstearnspobox.com). Mason, Buildkernel, named2hosts,
and ipfwadm2ipchains are at: http://www.stearns.org
--------------------------------------------------------------------------

---------------------------------------------------------------------
To unsubscribe, e-mail: honeypots-unsubscribesecurityfocus.com
For additional commands, e-mail: honeypots-helpsecurityfocus.com
---------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert
(SIA) Service. For more information on SecurityFocus' SIA service
which automatically alerts you to the latest security vulnerabilities.
Please, see: https://alerts.securityfocus.com/

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]