[Honeywall] Roo 1.2 connections and events (compared to 1.1)
Kadushkin, Konstantin Y.
KYKadushkin at tnk-bp.com
Thu Jun 28 05:51:55 EDT 2007
I'm using roo 1.1 installation, and a number of high interaction
honeypots - Windows Guests on VMWare. Honeypots emulating AD, SMS,
Exchange, so they generate a lot of connections with each over (I think
that's ok for this environment). Also, I have an "intruder" workstation,
which assigned IP from different scope rather then honeypots. All ok, I
see connections, IDS events, "intruder" IP in "Top 10 Remote Hosts" in
Once I migrate to roo 1.2, I see 2 to 5 connections in about 2 hours
(some broadcasts), no IDS events, no events from "intruder", no records
in "Top 10 Remote Hosts".
Back to 1.1 - all events and records back. All parameters in 1.1 and 1.2
Why? What's the difference can give this result?
More information about the Honeywall