|
Honeypots
mailing list archives
Re: Some questions about my first honeypot
From: Thorsten Holz <thorsten.holz () mmweg rwth-aachen de>
Date: Fri, 09 Apr 2004 13:45:50 +0200
On Do 08 Apr 2004 17:34:21 CEST x0x () ukshells co uk wrote:
2. Logging. Obviously im looking to gather as much information to
learn from as possible but not being familiar with hidden keyloggers,
etc all I dont have anything running directly on the honeypot to log
sessions and instead just have a snort rule on the slack box to log
everything which originates from eth2 (the honeypot network). What im
a little concerned about though is that if the attack enters the box
through SSH the session will be encrypted and i wont be able to gain
any information from the conversation. Is there anything I could look
into do get around this ?
Take a look at Sebek: http://honeynet.org/tools/sebek/
3. As its only been 1 day since ive had it live, activity has been
pretty minimal however should an intruder break in and start using the
box as a base to scan from I could be in big trouble with my ISP, is
there anyway I can limit connections outbound from the honeypot so
thats its not obvious to the intruder something is wrong, but protects
me from unknowingly participating in some DoS attack?
You can use iptables' "limit" option in order to shape traffic.
Another option is snort_inline (http://snort-inline.sf.net/), an
intrusion prevention system.
HTH,
Thorsten
Attachment:
_bin
Description:
 By Date 
By Thread
Current thread:
| 
Intro
