Portable Honey Pot or PHP for short... oh wait!
On 21 October 2011 15:15, Ron Gula <[email protected]> wrote: > HoneySpot ? > > Ron Gula > > -----Original Message----- > From: [email protected] > [mailto:[email protected]] On Behalf Of Larry Pesce > Sent: Friday, October 21, 2011 10:05 AM > To: [email protected] > Subject: Re: [Pauldotcom] portable honeyport tool waiting for a name > > A name? > > Portable. Honeypot. > > How about Portapotty? > > :-) > > - L > > On 10/16/11 12:18 PM, Chris Benedict wrote: >> After listening to the pdc guys talk about "honeyports" on the pdc podcast I >> decided to run with the idea a bit further. I'm not sure if this has been >> done yet or not, but I've written a program in Ruby to implement honeyports >> with some extra features thrown into the mix. For info on honeyports check >> out john strand's tech segments on episodes 203 and 204 of the pdc podcast. >> >> You can use a raw tcp listener (netcat-style) to trigger blacklisting or you >> can write modules to emulate a ftp server or web server or whatever that >> can, for instance, give a banner and version info but blacklist on attempted >> logins. When a host trips one of the alarms it broadcasts a signed udp >> alert to all the other hosts on the lan so they can act on it also. Alerts >> can be handled by different modules too, so far I have only written a >> commandline module that simply executes a command with an ip address as an >> argument that you can use to insert an ip into a blacklist table in pf for >> instance. Something like a syslog or mysql module wouldn't be too difficult >> to write. >> >> As far as making it secure goes, it has some more work to be done. >> Broadcasted alerts are cryptographically signed and verified but I need to >> implement some stuff to prevent replay attacks and I need to add in >> whitelisting and thresholding to make it more difficult to use as a weapon >> against the user's own network. >> >> So, I've tried to make the code all very modular so its functionality can be >> tweaked or extended pretty well (the sky should be the limit). The end-goal >> is to come up with some code that you can drop onto every box on a lan that >> can run a ruby interpreter (jruby for instance). It would make the entire >> network go dark once an attacker starts grabbing banners or connecting to >> ports. >> >> This is going to be my first project to be released and it doesn't have a >> name yet. So, if anyone has any ideas for a name send them my way. Once I >> have it named I will put it in a public repo on github with a BSD license >> for anyone to get to and contribute. >> >> -Chris Benedict >> >> _______________________________________________ >> Pauldotcom mailing list >> [email protected] >> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom >> Main Web Site: http://pauldotcom.com > _______________________________________________ > Pauldotcom mailing list > [email protected] > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > Main Web Site: http://pauldotcom.com > _______________________________________________ > Pauldotcom mailing list > [email protected] > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > Main Web Site: http://pauldotcom.com > _______________________________________________ Pauldotcom mailing list [email protected] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
