Honeypots: Re: Honeynet Project Security Advisory 2004-001: Sebek

Nmap Security Scanner

Intro

Ref Guide

Install Guide

Download

Changelog

Book

Docs
Security Lists

Bugtraq

Basics

More
Security Tools

More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

Honeypots mailing list archives

Re: Honeynet Project Security Advisory 2004-001: Sebek

From: Ryan Barnett <RCBarnett () hushmail com>
Date: 22 Jan 2004 21:06:47 -0000

In-Reply-To: <Pine.LNX.4.44.0401221344550.25604-100000 () sumatra ucs indiana edu>

From: Edward Balas <ebalas () iu edu>

-- CUT --

Review of Best Practices:

-- CUT --


  1.   It is recommended that you run sbk_extract in a chroot
       environment protected with Systrace and, if available,
       your favorite flavor of stack protection.  This
       recommendation applies to all data capture tools run on
       a honeynet data collection server.


While this recommendation is based on sound logic (with regards to keeping the the honeypot/net logging data secure), 
we may be missing a prime opportunity here.  I for one would sure like to see someone successfully execute this type of 
libpcap exploit to compromise the sebek serverhost!  What GREAT exploit intel!

Let's not forget our Gen I mindset - when having an attacker discover a remote syslog server and then try to compromise 
it was a GOOD thing for identifying new attacks/exploits against syslogd.  

-RYAN

By Date By Thread

Current thread:

Honeynet Project Security Advisory 2004-001: Sebek Edward Balas (Jan 22)
- Re: Honeynet Project Security Advisory 2004-001: Sebek John Washington (Jan 23)
  - Re: Honeynet Project Security Advisory 2004-001: Sebek Edward Balas (Jan 23)
- <Possible follow-ups>
- Re: Honeynet Project Security Advisory 2004-001: Sebek Ryan Barnett (Jan 22)