DOH'!!
So this is my last day of work before going on a 14 day vacation.
I was REALLY hoping to get the honeynet up and running by now but I've been somewhat busy and I have also met some challenges along the way which kinda messed up my timeframe.
HOWEVER, I have completed a lot of the things that needed doing so when I get back from work, at least I won't have to do much to complete the first stage.
For those of you who are interested, I found a great tutorial site which contains tutorials for setting up a bridge box with snort_inline etc...
check out www.openmaniak.com , they have a lot of different tutorials there which are quite simple to follow.
As for me, I have bought THIS book and I hope to get through most of it during my vacation time.
So even though I may have had to delay this project for a while now, I won't give it up.
Stay tuned in about 2-3 weeks and I'll post more updates here and start a status thread for the honeypot once its up and running.
Am I behind schedule or what?
Well, just to keep you guys posted, I have NOT given up this project at all but I have had other things on my mind for the last couple of weeks.
I am currently reading up on honeynets in a book called "Virtual Honeypots - from botnet tracking to intrusion detection" to make sure that I won't forget everything I've learned so far while I wait for the time to get back to work on this project.
I will continue with status updates etc. once I'm back at it.
By your mean of In-front indicate it as IPS system when it works In Inline mode but IDS can be placed anywhere cause they will get a copy of each packet destined for internal host.thus generating a alarm and taking action as request block or reset.based on actionOriginally Posted by BOFH139
OK, after to reading a book called Virtual Honeypots, I've somehow decided to start with a virtual honeypot :P
I will launch this after 8 hours of sleep and a couple of hours more of workI will start of with a VM image of a Win 2000 machine and I will log all traffic and keystrokes on the machine. I will also limit outgoing traffic and block a lot of the common ports both incoming and outgoing to avoid worm traffic to and from the honeypot.
Once online I will create a thread in this sub forum and post the status, results etc and keep this thread going when it comes to issues regarding the implementation and set-up of honeypots..
I have also created a blog for this project: The HoneyProject which will also be used to post info about this and other honeynet projects I will start in the future... at first I wanted to create a website, but I decided that it would be too much work to create and maintain so I went the easy route and got myself a blogspot
OK, so my HDD totally crashed at the worst possible time last week (if you read my blog you can see a more detailed description of the incident there) and I haven't had the time to work any more on the project until now.
On the other hand, though, Lance Spitzer from www.honeynet.org tipped me about their mailing list which I joined instantly and I have received a lot of useful tips from the users there already.
Now my plan is to implement a complete honeynet on one machine using VMWare
Since I got the W2K VM host all ready and installed, I need to install Honeywall as a VM on the same host machine, get the config right and hopefully I can get this thing up and running soon
I have also made some minor changes on my blog, with links both to this forum and to the remote exploit main site to raise awareness about this community and the BackTrack distro.
If you have a choice of OS to run as a VMware session for your honeypot, you should choose something like Win98 or WinME.OK, so my HDD totally crashed at the worst possible time last week (if you read my blog you can see a more detailed description of the incident there) and I haven't had the time to work any more on the project until now.
On the other hand, though, Lance Spitzer from www.honeynet.org tipped me about their mailing list which I joined instantly and I have received a lot of useful tips from the users there already.
Now my plan is to implement a complete honeynet on one machine using VMWare
Since I got the W2K VM host all ready and installed, I need to install Honeywall as a VM on the same host machine, get the config right and hopefully I can get this thing up and running soon
I have also made some minor changes on my blog, with links both to this forum and to the remote exploit main site to raise awareness about this community and the BackTrack distro.
A third party security audit is the IT equivalent of a colonoscopy. It's long, intrusive, very uncomfortable, and when it's done, you'll have seen things you really didn't want to see, and you'll never forget that you've had one.
LOL, sorry I see I've mistyped the previous post a bit .. my host OS is XP but on that host I have set up a guest VM machine with an unpatched Windows 2000 Professional...
But win ME and 98 would most definitely be a good addition if i really want to attrackt some bad traffic
What you need to do is set it up so that if they get a remote shell they get this:
http://www.computerbrains.com/ccs64/
A third party security audit is the IT equivalent of a colonoscopy. It's long, intrusive, very uncomfortable, and when it's done, you'll have seen things you really didn't want to see, and you'll never forget that you've had one.
hahaha, that would be sweet.. however, it wouldn't be the same without a live camera feed of the reaction of whoever maintains access and suddenly finds themselves in a C64 prompt
Ahhh, I finally got a virtual honeypot working fine using a host machine with VMWARE and one Windows 2000 Proffesional guest machine and one Honeywall guest machine.
I will continue this thread to have a Q&A thread for honeypot's and I'm about to create a status thread in this same sub forum as well.
The project kinda ended up in me creating a blog about my honeypot attempts called "The Honeyproject" and I plan to keep it going and posted with relevant info, news and after a while I'll give a go at authoring some pretty thorough HOWTO's as well after gaining some more knowledge and experience about this particular topic
So to follow my status you can either check out the thread I'm about to start or drop by my site once in a while.. (I'd appreciate some traffic
Posting Permissions
