Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

honeypots logo Honeypots mailing list archives

Re: Know Your Enemy: GenII Honeynets
From: "Michael Anuzis" <michael_anuzis () hotmail com>
Date: Mon, 14 Apr 2003 13:32:06 -0400
These GenII honeynets are old school already! I (and I would bet several other people too) have already been running honeynets with almost identicle functionality for months.
The only real thing I notice with these GenII honeynets that is of any newness is the Sebek2 loadable kernel module, and correct me if I'm wrong but this kernel module could have been designed a lot better. 

Taken from the report:
"This is done by modifying the honeypot so it cannot see nor sniff any packets with a predesignated source MAC address."
If I was a hacker and ran a sniffer on my hacked host to see what was going on and I saw *no* packets coming from myself. I would see ssh connections etc inbound but nothing outbound I would know *instantly* this was incredibly suspicious. Perhaps even more suspicious than actually seeing the UDP packets because there would be a chance they'd get overlooked.
Just thinking off the top of my head, the person who designed Sebek2 could have made it much more useful if instead of a predetermined mac address being ignored, a predetermined port could be specified. This way you could choose an arbitrary port to have things report on such as 30519 or something, and have the logging facility listen for that port, while on the honeypot itself all other traffic such as their SSH/IRC/etc connections would still be visible.
Don't mean to criticize but I've been using this GenII model for months already (and I would guess others are too). I was really excited to see the article and hoping for something fresh and new! Just my $0.02 


Michael Anuzis, CCNA
Network Security Consultant
http://www.anuzisnetworking.com
http://www.lucidic.net - The Distributed Honeypot Project






From: george chamales <george () overt org>
To: honeypots () securityfocus com
Subject: Know Your Enemy:  GenII Honeynets
Date: 14 Apr 2003 08:56:36 -0500


The Honeynet Project is excited to announce its latest paper, "Know Your
Enemy: GenII Honeynets".  The second generation Honeynet marks the next
step in Honeynet technology and is designed to be easier to deploy,
harder to detect, and safer to maintain.  This paper is both an in-depth
introduction to the technology and a step-by-step guide to configuration
and deployment.

http://www.honeynet.org/papers/gen2

Enjoy,

george chamales
http://honeynet.overt.org




_________________________________________________________________
Help STOP SPAM with the new MSN 8 and get 2 months FREE* http://join.msn.com/?page=features/junkmail

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]