Pooh

Sent from my phone.
On Oct 21, 2011 9:59 AM, "Tim Krabec" <[email protected]> wrote:

> In honor of Larry's Disney vacation I vote Pooh
>
> On Fri, Oct 21, 2011 at 11:16 AM, Jim Halfpenny 
> <[email protected]>wrote:
>
>> Portable Honey Pot or PHP for short... oh wait!
>>
>> On 21 October 2011 15:15, Ron Gula <[email protected]> wrote:
>> > HoneySpot  ?
>> >
>> > Ron Gula
>> >
>> > -----Original Message-----
>> > From: [email protected] [mailto:
>> [email protected]] On Behalf Of Larry Pesce
>> > Sent: Friday, October 21, 2011 10:05 AM
>> > To: [email protected]
>> > Subject: Re: [Pauldotcom] portable honeyport tool waiting for a name
>> >
>> > A name?
>> >
>> > Portable.  Honeypot.
>> >
>> > How about Portapotty?
>> >
>> > :-)
>> >
>> > - L
>> >
>> > On 10/16/11 12:18 PM, Chris Benedict wrote:
>> >> After listening to the pdc guys talk about "honeyports" on the pdc
>> podcast I decided to run with the idea a bit further.  I'm not sure if this
>> has been done yet or not, but I've written a program in Ruby to implement
>> honeyports with some extra features thrown into the mix.  For info on
>> honeyports check out john strand's tech segments on episodes 203 and 204 of
>> the pdc podcast.
>> >>
>> >> You can use a raw tcp listener (netcat-style) to trigger blacklisting
>> or you can write modules to emulate a ftp server or web server or whatever
>> that can, for instance, give a banner and version info but blacklist on
>> attempted logins.  When a host trips one of the alarms it broadcasts a
>> signed udp alert to all the other hosts on the lan so they can act on it
>> also.  Alerts can be handled by different modules too, so far I have only
>> written a commandline module that simply executes a command with an ip
>> address as an argument that you can use to insert an ip into a blacklist
>> table in pf for instance.  Something like a syslog or mysql module wouldn't
>> be too difficult to write.
>> >>
>> >> As far as making it secure goes, it has some more work to be done.
>>  Broadcasted alerts are cryptographically signed and verified but I need to
>> implement some stuff to prevent replay attacks and I need to add in
>> whitelisting and thresholding to make it more difficult to use as a weapon
>> against the user's own network.
>> >>
>> >> So, I've tried to make the code all very modular so its functionality
>> can be tweaked or extended pretty well (the sky should be the limit).  The
>> end-goal is to come up with some code that you can drop onto every box on a
>> lan that can run a ruby interpreter (jruby for instance).  It would make the
>> entire network go dark once an attacker starts grabbing banners or
>> connecting to ports.
>> >>
>> >> This is going to be my first project to be released and it doesn't have
>> a name yet.  So, if anyone has any ideas for a name send them my way.  Once
>> I have it named I will put it in a public repo on github with a BSD license
>> for anyone to get to and contribute.
>> >>
>> >> -Chris Benedict
>> >>
>> >> _______________________________________________
>> >> Pauldotcom mailing list
>> >> [email protected]
>> >> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
>> >> Main Web Site: http://pauldotcom.com
>> > _______________________________________________
>> > Pauldotcom mailing list
>> > [email protected]
>> > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
>> > Main Web Site: http://pauldotcom.com
>> > _______________________________________________
>> > Pauldotcom mailing list
>> > [email protected]
>> > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
>> > Main Web Site: http://pauldotcom.com
>> >
>> _______________________________________________
>> Pauldotcom mailing list
>> [email protected]
>> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
>> Main Web Site: http://pauldotcom.com
>>
>
>
>
> --
> Tim Krabec
> Kracomp
> 772-597-2349
> www.kracomp.com
> www.smbminute.com (podcast)
> tkrabec.com
>
>
> _______________________________________________
> Pauldotcom mailing list
> [email protected]
> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
> Main Web Site: http://pauldotcom.com
>
_______________________________________________
Pauldotcom mailing list
[email protected]
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com

Reply via email to