Pooh Sent from my phone. On Oct 21, 2011 9:59 AM, "Tim Krabec" <[email protected]> wrote:
> In honor of Larry's Disney vacation I vote Pooh > > On Fri, Oct 21, 2011 at 11:16 AM, Jim Halfpenny > <[email protected]>wrote: > >> Portable Honey Pot or PHP for short... oh wait! >> >> On 21 October 2011 15:15, Ron Gula <[email protected]> wrote: >> > HoneySpot ? >> > >> > Ron Gula >> > >> > -----Original Message----- >> > From: [email protected] [mailto: >> [email protected]] On Behalf Of Larry Pesce >> > Sent: Friday, October 21, 2011 10:05 AM >> > To: [email protected] >> > Subject: Re: [Pauldotcom] portable honeyport tool waiting for a name >> > >> > A name? >> > >> > Portable. Honeypot. >> > >> > How about Portapotty? >> > >> > :-) >> > >> > - L >> > >> > On 10/16/11 12:18 PM, Chris Benedict wrote: >> >> After listening to the pdc guys talk about "honeyports" on the pdc >> podcast I decided to run with the idea a bit further. I'm not sure if this >> has been done yet or not, but I've written a program in Ruby to implement >> honeyports with some extra features thrown into the mix. For info on >> honeyports check out john strand's tech segments on episodes 203 and 204 of >> the pdc podcast. >> >> >> >> You can use a raw tcp listener (netcat-style) to trigger blacklisting >> or you can write modules to emulate a ftp server or web server or whatever >> that can, for instance, give a banner and version info but blacklist on >> attempted logins. When a host trips one of the alarms it broadcasts a >> signed udp alert to all the other hosts on the lan so they can act on it >> also. Alerts can be handled by different modules too, so far I have only >> written a commandline module that simply executes a command with an ip >> address as an argument that you can use to insert an ip into a blacklist >> table in pf for instance. Something like a syslog or mysql module wouldn't >> be too difficult to write. >> >> >> >> As far as making it secure goes, it has some more work to be done. >> Broadcasted alerts are cryptographically signed and verified but I need to >> implement some stuff to prevent replay attacks and I need to add in >> whitelisting and thresholding to make it more difficult to use as a weapon >> against the user's own network. >> >> >> >> So, I've tried to make the code all very modular so its functionality >> can be tweaked or extended pretty well (the sky should be the limit). The >> end-goal is to come up with some code that you can drop onto every box on a >> lan that can run a ruby interpreter (jruby for instance). It would make the >> entire network go dark once an attacker starts grabbing banners or >> connecting to ports. >> >> >> >> This is going to be my first project to be released and it doesn't have >> a name yet. So, if anyone has any ideas for a name send them my way. Once >> I have it named I will put it in a public repo on github with a BSD license >> for anyone to get to and contribute. >> >> >> >> -Chris Benedict >> >> >> >> _______________________________________________ >> >> Pauldotcom mailing list >> >> [email protected] >> >> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom >> >> Main Web Site: http://pauldotcom.com >> > _______________________________________________ >> > Pauldotcom mailing list >> > [email protected] >> > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom >> > Main Web Site: http://pauldotcom.com >> > _______________________________________________ >> > Pauldotcom mailing list >> > [email protected] >> > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom >> > Main Web Site: http://pauldotcom.com >> > >> _______________________________________________ >> Pauldotcom mailing list >> [email protected] >> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom >> Main Web Site: http://pauldotcom.com >> > > > > -- > Tim Krabec > Kracomp > 772-597-2349 > www.kracomp.com > www.smbminute.com (podcast) > tkrabec.com > > > _______________________________________________ > Pauldotcom mailing list > [email protected] > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > Main Web Site: http://pauldotcom.com >
_______________________________________________ Pauldotcom mailing list [email protected] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
