Rob, thank for you answer! After install 1.2 and see no connections, first of all I uncheck this parameter (BPF) in Whalley. No result.
I must see connections and events from "intruder" regardless of BPF? Sorry, I now revert to 1.1. I'll try to install 1.2 and run ps... In 1.1 I see connections from honeypots, to honeypots from "intruder" and from local subnet IPs which is not listed in "IP Address(es) of your honeypots" fields in Whalley. Best regards, KostyaK > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of > Rob McMillen > Sent: Thursday, June 28, 2007 8:40 PM > To: [email protected] > Subject: Re: [Honeywall] Roo 1.2 connections and events > (compared to 1.1) > > KostyaK, > If you log onto your 1.2 honeywall, and run the following command: > > ps ax | grep host > > You will probably notice that by default, all data capture > mechanisms are now using a bpf filter. This filter is based > on the contents of the HwHPOT_PUBLIC_IP variable. It should > only be capturing things to and from the ip addresses there. > It also incorporates the black and white list if they are enabled. > > Can you paste the results of the ps ax | grep host command above? > > In your 1.1 honeywall, were the events related to your > honeypots or simply machines that were on the same local subnet? > > Thanks in advance, > > Rob > > On 6/28/07, Kadushkin, Konstantin Y. <[EMAIL PROTECTED]> wrote: > > Dear all! > > > > I'm using roo 1.1 installation, and a number of high interaction > > honeypots - Windows Guests on VMWare. Honeypots emulating AD, SMS, > > Exchange, so they generate a lot of connections with each over (I > > think that's ok for this environment). Also, I have an "intruder" > > workstation, which assigned IP from different scope rather then > > honeypots. All ok, I see connections, IDS events, "intruder" IP in > > "Top 10 Remote Hosts" in Whalley. > > > > Once I migrate to roo 1.2, I see 2 to 5 connections in > about 2 hours > > (some broadcasts), no IDS events, no events from "intruder", no > > records in "Top 10 Remote Hosts". > > > > Back to 1.1 - all events and records back. All parameters > in 1.1 and > > 1.2 are similar. > > > > Why? What's the difference can give this result? > > > > Best regards, > > KostyaK > > _______________________________________________ > > Honeywall mailing list > > [email protected] > > https://public.honeynet.org/mailman/listinfo/honeywall > > > _______________________________________________ > Honeywall mailing list > [email protected] > https://public.honeynet.org/mailman/listinfo/honeywall > _______________________________________________ Honeywall mailing list [email protected] https://public.honeynet.org/mailman/listinfo/honeywall
