Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

honeypots logo Honeypots mailing list archives

GenII Honeynet practical use of Snort/Snort_Inline/Swatch
From: "Brent J. Nordquist" <brent () nordist net>
Date: Fri, 27 Jun 2003 13:02:59 -0500
I'm brand new to honeypots, and now have a working GenII honeynet
up and going.  Following the description in the GenII paper has
left me with some questions about how Snort, Snort_Inline, Swatch
are supposed to work in practice in a GenII honeynet.  Any
clarification, feedback, examples from your own configuration, etc.
appreciated!

Data Control:  As I understand it, IPTables+Snort_Inline is supposed
to be used for (1) limiting the number of outbound connections
across the bridge (so the compromised honeypot can't be used to
attack other systems), and (2) identifying known outbound exploits
and neutering them.

    - The GenII paper says "If you are running drop-rules.tgz
    ruleset, you test by simply by first enabling the default test
    rule," -- I am using the distributed drop-rules,tgz, but I
    couldn't find that ruleset.  Can someone point me to it?  (I
    added my own that was basically a wildcard, and confirmed that
    it triggered Snort_Inline.)

Data Capture:  The paper says that Snort is supposed to be used for
data capture (both inbound and outbound).

    - The paper doesn't appear to say anything about how to set up
    rules that achieve this.  I did a telnet in both directions,
    but neither one was logged.  Again, I added a simple "wildcard"
    rule and was able to get Snort to trigger and log the session.
    So it looks like the standard Snort rules (which appear to be
    set up to catch "bad" activity) aren't what you want for
    capturing *all* activity.  What Snort rules do people use?

Alerting:  The GenII paper has one simple example for Swatch that
would send email for any "OUTBOUND" packets.

    - Is this what people use in practice, or do you only alert on
    TCP or UDP (ignoring ICMP), or do you have other custom Swatch
    patterns to ignore false positives (IDENT, NTP, etc.)?

-- 
Brent J. Nordquist <brent () nordist net> N0BJN
Other contact information: http://www.nordist.net/contact.html
* Fast pipe * Always on * Get out of the way - Tim Bray http://tinyurl.com/7sti

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]