What you describe is "by design". Perhaps it leads to a certain degree of "unreal-ness" but the general idea is to allow everything in and control that which leaves a Honeynet residing behind the Honeywall. Think of it as a firewall in reverese (sort-of).
Earl On Thu, 29 Jan 2009 23:48:51 -0500 [email protected] wrote: >Maybe this has been asked, answered, talked about before, so I >apologize in >advance if it has. > >I am currently running a fairly standard Honeyroo setup. Honeypot >has 3 nic >cards, eth0, eth1, eth2, in the default config. I have 2 honeypots >setup >behind it, connected via a switch to eth1. > > >Recently, I've tried to get snort-inline running. I am new to >snort in >general, but I believe I have a ok understanding of how things are >supposed >to work. > >>From what I can tell, for some reason snort is letting all >incoming packets >be accepted without filtering them. > >If I stop snort-inline, all honeypot traffic outgoing and incoming >stops. >So, I am fairly certain my "QUEUES" are setup correctly iptables >has 100% >been configured by honeyroo scripts, I have not hand modified it >in anyway, >just configured through the menu interface. While in the walleye >firewall >status webpage I see continually increasing numbers next to both >incoming >and outgoing QUEUE rules. > >As soon as I turn snort back on packets start flowing in both >directions >again. Outgoing packets are being alerted, dropped, etc correctly. >But >snort-inline doesn't even seem to acknowledge incoming packets. >They just >get accepted, with no information. Below is a brief output of >running >snort-inline -v. It seems snort is only processing the outgoing >stream and >not even displaying the incoming.... My servers IP has been >removed. > >Any Ideas? > >=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+= >+=+=+=+ > >01/30-04:28:27.229924 MY_HONEYPOT_IP:53 -> 121.167.11.2:31611 >UDP TTL:128 TOS:0x0 ID:53822 IpLen:20 DgmLen:70 >Len: 42 >=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+= >+=+=+=+ > >01/30-04:28:32.402667 MY_HONEYPOT_IP:2145 -> 58.65.233.17:80 >TCP TTL:128 TOS:0x0 ID:53823 IpLen:20 DgmLen:48 DF >******S* Seq: 0x7FE52BC5 Ack: 0x0 Win: 0xFFFF TcpLen: 28 >TCP Options (4) => MSS: 1460 NOP NOP SackOK >=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+= >+=+=+=+ > >01/30-04:28:32.641493 MY_HONEYPOT_IP:2145 -> 58.65.233.17:80 >TCP TTL:128 TOS:0x0 ID:53824 IpLen:20 DgmLen:40 DF >***A**** Seq: 0x7FE52BC6 Ack: 0xE409E046 Win: 0xFFFF TcpLen: 20 >=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+= >+=+=+=+ > >01/30-04:28:32.641559 MY_HONEYPOT_IP:2145 -> 58.65.233.17:80 >TCP TTL:128 TOS:0x0 ID:53825 IpLen:20 DgmLen:352 DF >***AP*** Seq: 0x7FE52BC6 Ack: 0xE409E046 Win: 0xFFFF TcpLen: 20 >=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+= >+=+=+=+ > >_______________________________________________ >Honeywall mailing list >[email protected] >https://public.honeynet.org/mailman/listinfo/honeywall _______________________________________________ Honeywall mailing list [email protected] https://public.honeynet.org/mailman/listinfo/honeywall
