Honeypots: Re: Building an Honeypot using VMWare

Nmap Security Scanner

Intro

Ref Guide

Install Guide

Download

Changelog

Book

Docs
Security Lists

Bugtraq

Basics

More
Security Tools

More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

Honeypots mailing list archives

Re: Building an Honeypot using VMWare

From: Floydman <floydian_99 () yahoo com>
Date: Mon, 04 Nov 2002 12:28:58 -0500

At 10:58 AM 04/11/2002, Bruno MAC Castro wrote:

Hi all,
(...)

The main platform (intrusion and honeypot) is almost completely setup.
Now, I am reaching a stage in my research where I could use some nice
advices:
1. What Log tools can I use for log correlation between the Host
(monitor with Windows 2k Pro) and the Guest (honeypot with Windows 2k
Pro)?

Somebody mentionned neuSecure, form Guarded.net, but it is a commercialsolution. I am working on something like this, and I'd like too to hearabout similar products. I think this kind of tool will help fill the gapof analysing large log files

2. I also need a way to share the guest (hacked) machine logs with the
host (monitor). Any ideas?

Can I suggest LogAgent? You can download it from my sitehttp://securit.iquebec.com (download may be slow, sorry). This toolmonitors ascii log files and forward them on the fly to the destination ofyour choice (via UNC adress convention, IP adress can be used). You mayalso want to take a look at ComLog if you want to make a Windowshoneypot. ComLog is a command prompt logger, which lets you capturecommand prompt sessions. ComLog and LogAgent are also made to worktogether, ComLog captures, and LogAgent forwards.

3. Is there any tool that can define the hacking process step-by-step by
correlating the IDS logs with the OS logs?


Again, I'd like to hear about this also.

4. It would be important to hide the VMWare process on the Guest. I need
a tool (or a solution) to cover or hide the VMWare process in both
systems. Ideas?

No ideas per se, but you gave me an idea about how to improveComLog. Maybe I can make it take a list of processes to hide in thecommand prompt (ComLog and LogAgent are hidden in a ComLog session). Butthat would limit to the command prompt only, in the process manager (GUI),it would still show.

5. My host system is very well secure but I believe that nothing is 100%
safe, so I also need ideas to copy or move all logs (guest and host) to
another system (not sure about what kind of system it should be). Any
ideas? Maybe serial port to another machine?

Again, LogAgent can be used to forward log files to a remote machine. Iforgot to mention that you can also watch them on the fly on theconsole. I'll remember to add the option to send the output to a serial orparallel port on a future version.

Thanks.
Regards
Bruno



Hope this helps at least a bit.
Floydman

By Date By Thread

Current thread:

Re: Building an Honeypot using VMWare, (continued)
- Re: Building an Honeypot using VMWare Bill McCarty (Nov 04)
  - RE: Building an Honeypot using VMWare Bruno MAC Castro (Nov 04)
    - RE: Building an Honeypot using VMWare Edward Balas (Nov 04)
    - RE: Building an Honeypot using VMWare Bruno MAC Castro (Nov 04)
    - Re: Building an Honeypot using VMWare Michael (Nov 13)
- Re: Building an Honeypot using VMWare Floydman (Nov 04)
- RE: Building an Honeypot using VMWare Muhammad Faisal Rauf Danka (Nov 04)
  - Re: Building an Honeypot using VMWare Alberto Gonzalez (Nov 05)
  - RE: Building an Honeypot using VMWare Bruno MAC Castro (Nov 05)
  - Re: Building an Honeypot using VMWare Ali Saifullah Khan (Nov 12)
- RE: Building an Honeypot using VMWare Dennis Rand (Nov 05)