Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie
Hi there,
There is an issue with role permissions that is being worked on at the moment.
If you are having trouble with access or permissions on regional forums please post here to get access: https://www.boards.ie/discussion/2058365403/you-do-not-have-permission-for-that#latest

Analysing malicious traffic

  • 18-07-2010 11:21pm
    #1
    Registered Users, Registered Users 2 Posts: 1,190
    ✭✭✭


    Router picks up quite the collection of port scans and dos attempts etc. I'm interested in logging it and generating statistics. I was thinking of forwarding all traffic that isn't wanted to a dmz server with a honeypot or just general statistics running. Obviously I want to make especially sure if I set this up that it isn't going to become vulnerable. Wouldn't it be the icon of shame if I actually left something unpatched or setup the firewall wrong and ended up letting people in.

    http://nepenthes.carnivore.it/ Here's something that came up at hope this year. I was thinking setting up something similar. It emulates a vulnerable server and collects data on attacks.

    Anyone have any alternatives as well as advice and experience on the matter?


Welcome!

It looks like you're new here. Sign in or register to get started.

Comments

  • Registered Users, Registered Users 2 Posts: 85 rfrederick
    ✭✭


    There are of couple of tools I can think of, though I haven't actually played with them yet. First is honeyd from the Honeynet Project (http://www.honeynet.org/project). honeyd has rather low interactivity with malicious traffic that it captures. The Honeynet Project also offers a number of highly interactive honeypot offerings as well, such as Honeywall. Another is Damn Vulnerable Linux (http://damnvulnerablelinux.org), a live CD Slackware-based distro that offers vulnerable and misconfigured versions of common *nix services (Apache, Tomcat, MySQL, etc.). It's primarily intended as a teaching tool for vulnerability exploitation and analysis, but sometime this week a honeypot module will be added on that logs malicious traffic to a remote server (while hiding the fact) and can dynamically escalate privileges as much as the user desires when malicious activity is detected.


  • Registered Users, Registered Users 2 Posts: 4,676 Gavin
    ✭✭✭


    With respect to setting up the honeypot, it should be fairly straightforward to setup the firewalling and dmz. Run it in a VM, run your packet sniffer on a separate machine preferably, or on the host OS. If using linux, log syslog data to a remote machine, or if you want to go totally nuts, log it to a line printer for the ultimate in paper wastage and reliable records.

    Depending on the size of your Internet connection, you'll pick up a large amount of data. It can be difficult to make sense of gigs of network traffic. Something like Snort or Bro might be handy tools to help in the analysis/statistic generation.

    I'd also be interested in any other analysis tools/ideas people have


  • Registered Users, Registered Users 2 Posts: 1,691 JimmyCrackCorn
    ✭✭✭


    I ran it for a month about a year or so ago.

    Youll be surprised how much malware makes an attempt on public IP address.

    a good experiment as i wanted to reverse engineere a little (had a little too much time on my hands)

    found it easy to get running.


  • Registered Users, Registered Users 2 Posts: 11,205 hmmm
    ✭✭✭✭


    I would avoid the honeypot & set up a Snort system instead. Obviously a network tap would be preferred but there is some good info out there as to how to make the system as invisible as possible.


Welcome!

It looks like you're new here. Sign in or register to get started.
Advertisement