[SLUG] Honeynets
Stuart Thomas
stuartthomas at clara.co.uk
Fri Aug 22 18:28:29 BST 2003
Hi,
I'm sure you're all quite sick of honeynets/farms/pots by now, but
Jamie did mention the spoof side of honeypots which is exceptionally
important. i.e. When you are running a vmware session of say RedHat
6.0, you may want to ensure that your W2K stack or whatever host OS you
us, responds interestingly, i.e. the stack doesn't give a W2K response,
maybe one of RH6.0 :-) .. See X-Probe/Nmap OS identification/spoofing
in google/your search engine.
Erm, anyway, thanks!..
Stu
p.s. has anyone used tarpit to any effect? (it holds on to tcp
connections, i.e. increases the time-out to drain the resources of
port-scanners)
On Friday, Aug 22, 2003, at 16:46 Europe/London, Gavin Baker wrote:
> On Fri, 2003-08-22 at 15:58, Adams, Jamie wrote:
>> I don't know what the hell your talking about, but sounds good to me!
>
> (honeypot) Usually a box that *pretends* to be running services with
> known security flaws. The idea is to attract crackers to try and hack
> the (fake) servers so we can monitor what they do and protect our real
> boxen against the attacking host and the same kind of attack, and if
> they are trying to crack non existent services, our real ones are safe.
>
> There are a lot of honeypot apps out there. Some are as simple as a
> perl
> script, or a shell script that uses nc to listen on a port (say www),
> reply as a real www server would but log everything that happens. Some
> are indistinguishable from the real thing (like iisemul8[1]).
>
> Some, like honeyd[2] also fake the TCP/IP stack, to pretend to be
> whatever OS you want.
>
> There is a good series of articles about honeypots on securityfocus.com
> somewhere.
>
> Fun stuff really.
>
> Gav
>
> [1] http://sourceforge.net/projects/iisemul8/
> [2] http://www.citi.umich.edu/u/provos/honeyd/
>
> --
> Gavin Baker <gav at supercowpowers.org
>
>>> -----Original Message-----
>>> From: Stuart Thomas [mailto:stuartthomas at clara.co.uk]
>>> Sent: 22 August 2003 15:26
>>> To: scarborough at mailman.lug.org.uk
>>> Subject: Re: [SLUG] Next Meeting
>>>
>>>
>>> Yes, if anyone is interested.
>>>
>>> That is electronic kind.
>>>
>>> Cheers,
>>> Stu
>>>
>>> On Friday, Aug 22, 2003, at 14:11 Europe/London, Gavin Baker wrote:
>>>
>>>> On Fri, 2003-08-22 at 12:52, Stuart Thomas wrote:
>>>>> Hm how about a talk on building a linux oracle (or any database)
>>>>> honeynet?
>>>>
>>>> Your volunteering to do a tutorial on honeypots? :)
>
>>
>
>
>
>
More information about the Scarborough
mailing list