In honor of Larry's Disney vacation I vote Pooh On Fri, Oct 21, 2011 at 11:16 AM, Jim Halfpenny <[email protected]>wrote:
> Portable Honey Pot or PHP for short... oh wait! > > On 21 October 2011 15:15, Ron Gula <[email protected]> wrote: > > HoneySpot ? > > > > Ron Gula > > > > -----Original Message----- > > From: [email protected] [mailto: > [email protected]] On Behalf Of Larry Pesce > > Sent: Friday, October 21, 2011 10:05 AM > > To: [email protected] > > Subject: Re: [Pauldotcom] portable honeyport tool waiting for a name > > > > A name? > > > > Portable. Honeypot. > > > > How about Portapotty? > > > > :-) > > > > - L > > > > On 10/16/11 12:18 PM, Chris Benedict wrote: > >> After listening to the pdc guys talk about "honeyports" on the pdc > podcast I decided to run with the idea a bit further. I'm not sure if this > has been done yet or not, but I've written a program in Ruby to implement > honeyports with some extra features thrown into the mix. For info on > honeyports check out john strand's tech segments on episodes 203 and 204 of > the pdc podcast. > >> > >> You can use a raw tcp listener (netcat-style) to trigger blacklisting or > you can write modules to emulate a ftp server or web server or whatever that > can, for instance, give a banner and version info but blacklist on attempted > logins. When a host trips one of the alarms it broadcasts a signed udp > alert to all the other hosts on the lan so they can act on it also. Alerts > can be handled by different modules too, so far I have only written a > commandline module that simply executes a command with an ip address as an > argument that you can use to insert an ip into a blacklist table in pf for > instance. Something like a syslog or mysql module wouldn't be too difficult > to write. > >> > >> As far as making it secure goes, it has some more work to be done. > Broadcasted alerts are cryptographically signed and verified but I need to > implement some stuff to prevent replay attacks and I need to add in > whitelisting and thresholding to make it more difficult to use as a weapon > against the user's own network. > >> > >> So, I've tried to make the code all very modular so its functionality > can be tweaked or extended pretty well (the sky should be the limit). The > end-goal is to come up with some code that you can drop onto every box on a > lan that can run a ruby interpreter (jruby for instance). It would make the > entire network go dark once an attacker starts grabbing banners or > connecting to ports. > >> > >> This is going to be my first project to be released and it doesn't have > a name yet. So, if anyone has any ideas for a name send them my way. Once > I have it named I will put it in a public repo on github with a BSD license > for anyone to get to and contribute. > >> > >> -Chris Benedict > >> > >> _______________________________________________ > >> Pauldotcom mailing list > >> [email protected] > >> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > >> Main Web Site: http://pauldotcom.com > > _______________________________________________ > > Pauldotcom mailing list > > [email protected] > > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > > Main Web Site: http://pauldotcom.com > > _______________________________________________ > > Pauldotcom mailing list > > [email protected] > > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > > Main Web Site: http://pauldotcom.com > > > _______________________________________________ > Pauldotcom mailing list > [email protected] > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > Main Web Site: http://pauldotcom.com > -- Tim Krabec Kracomp 772-597-2349 www.kracomp.com www.smbminute.com (podcast) tkrabec.com
_______________________________________________ Pauldotcom mailing list [email protected] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
