http://anthonykasza.webs.com/docs/honeyports.pdf
On Mon, Jul 30, 2012 at 10:45 PM, Arch Angel <[email protected]> wrote: > I think the community has spoken, we all want to read it :-) > > -- > > Thank you, > > Robert Miller > http://www.armoredpackets.com > > Twitter: @arch3angel > > > On 7/19/2012 12:38 PM, anthony kasza wrote: >> >> I've got a brief write up about how I integrated John's and Paul's >> honeyport script into an Ubuntu based OSSEC environment. It provides a >> way for all OSSEC agents to blacklist an IP that connects to a single >> honeyport on a single OSSEC agent. >> >> The write up includes the modified honeyport script as well as custom >> OSSEC dissectors, rules, and configuration changes needed to set this >> up. If anyone is interested in reading it, let me know. >> >> -AK >> >> On Thu, Jul 12, 2012 at 1:36 PM, Chris Benedict <[email protected]> >> wrote: >>> >>> My project is mostly working, https://github.com/chrisbdaemon/BearTrap. >>> >>> I had to remove some of the functionality, but as a neat honeyport tool >>> it >>> should work alright. It just hasn't really been used much yet. >>> >>> -Chris Benedict >>> >>> On Thu, Jul 12, 2012 at 8:50 AM, Doug Burks <[email protected]> wrote: >>>> >>>> Hi Anthony, >>>> >>>> If you're planning on using OSSEC anyway, could you just have OSSEC >>>> monitor IPTables for any DROPs? >>>> >>>> Example from >>>> >>>> http://securityonion.blogspot.com/2010/02/defense-in-depth-using-ossec-and-other.html: >>>> >>>> # Configure RHEL IPTables firewall to log any dropped packets to >>>> /var/log/messages to be monitored by OSSEC >>>> iptables -I RH-Firewall-1-INPUT 11 -j LOG --log-prefix="DROP " >>>> >>>> Thanks, >>>> Doug >>>> >>>> On Wed, Jul 11, 2012 at 6:32 PM, anthony kasza <[email protected]> >>>> wrote: >>>>> >>>>> Hi All, >>>>> >>>>> On 10/16/11 12:18 PM, Chris Benedict wrote this list about a honeyport >>>>> project. Does anyone know if the project took off? I'm attempting to >>>>> integrate the command line scripts that John and Paul talked about at >>>>> last year's DerbyCon (see slide 38) into OSSEC's active-response. >>>>> >>>>> -AK >>>>> _______________________________________________ >>>>> Pauldotcom mailing list >>>>> [email protected] >>>>> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom >>>>> Main Web Site: http://pauldotcom.com >>>> >>>> >>>> >>>> -- >>>> Doug Burks >>>> http://securityonion.blogspot.com >>>> _______________________________________________ >>>> Pauldotcom mailing list >>>> [email protected] >>>> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom >>>> Main Web Site: http://pauldotcom.com >>> >>> >>> >>> _______________________________________________ >>> Pauldotcom mailing list >>> [email protected] >>> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom >>> Main Web Site: http://pauldotcom.com >> >> _______________________________________________ >> Pauldotcom mailing list >> [email protected] >> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom >> Main Web Site: http://pauldotcom.com >> > _______________________________________________ > Pauldotcom mailing list > [email protected] > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > Main Web Site: http://pauldotcom.com _______________________________________________ Pauldotcom mailing list [email protected] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
