[Honeywall] Roo 1.2 connections and events (compared to 1.1)

Kadushkin, Konstantin Y. KYKadushkin at tnk-bp.com
Thu Jun 28 05:51:55 EDT 2007


Dear all!

I'm using roo 1.1 installation, and a number of high interaction
honeypots - Windows Guests on VMWare. Honeypots emulating AD, SMS,
Exchange, so they generate a lot of connections with each over (I think
that's ok for this environment). Also, I have an "intruder" workstation,
which assigned IP from different scope rather then honeypots. All ok, I
see connections, IDS events, "intruder" IP in "Top 10 Remote Hosts" in
Whalley.

Once I migrate to roo 1.2, I see 2 to 5 connections in about 2 hours
(some broadcasts), no IDS events, no events from "intruder", no records
in "Top 10 Remote Hosts". 

Back to 1.1 - all events and records back. All parameters in 1.1 and 1.2
are similar.

Why? What's the difference can give this result?

Best regards,
KostyaK


More information about the Honeywall mailing list