OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: John Whitsitt (jofny) (seclistssyk0.com)
Date: Fri May 17 2002 - 11:13:53 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Hello..

    I'm using a snort->syslog->swatch->bash script->iptables combination in a similar project right now.

    Initial packets do make it through, but even if that single packet immediately exploits a box,
    nothing much will be gained by the attacker...because there will be -- in addition to the
    redirection -- rules in place to prohibit all return traffic from the production box to the
    hostile ip. We're gearing ours towards preventing root access or data loss more than DOS attacks.
    Our honeynet looks similar to the production machine, but without important data...we break
    certain links, no database or scripting services, etc...this (we hope) will tend to reduce the
    chance that the attacker realizes that there has been a diversion.
    Snort runs on the gateway device, but we're not sure if we want to code in "trigger rules" to our
    bash scripts or to run 2 instances of snort -- one with a full ruleset and one with a "bat and
    switch" ruleset. We dont want traffic being redirected on *any* snort alert...that would be
    messy.
    The initial outline of this is located at http://www.violating.us/baitnswitch.html. I'd love
    comments, suggestions, or criticisms from people with a bit more experience.
    -jofny

    > Interesting. Is snort acting on a gateway device? Can you redirect that initial packet to the
    > honeynet? Or does it just direct the rest of the packets to it.
    >
    > One issue might be if there isn't a snort rule for an attack, it'd prolly still go to the
    > production network.
    >
    > Mike
    >
    >
    >

    ---------------------------------------------------------------------
    To unsubscribe, e-mail: honeypots-unsubscribesecurityfocus.com
    For additional commands, e-mail: honeypots-helpsecurityfocus.com
    ---------------------------------------------------------------------
    This list is provided by the SecurityFocus Security Intelligence Alert
    (SIA) Service. For more information on SecurityFocus' SIA service
    which automatically alerts you to the latest security vulnerabilities.
    Please, see: https://alerts.securityfocus.com/