[Honeywall] Roo 1.2 connections and events (compared to 1.1)

Rob McMillen rvmcmil at gmail.com
Thu Jun 28 12:39:52 EDT 2007


KostyaK,
    If you log onto your 1.2 honeywall, and run the following command:

ps ax | grep host

You will probably notice that by default, all data capture mechanisms
are now using a bpf filter.  This filter is based on the contents of
the HwHPOT_PUBLIC_IP variable.  It should only be capturing things to
and from the ip addresses there.  It also incorporates the black and
white list if they are enabled.

Can you paste the results of the ps ax | grep host command above?

In your 1.1 honeywall, were the events related to your honeypots or
simply machines that were on the same local subnet?

Thanks in advance,

Rob

On 6/28/07, Kadushkin, Konstantin Y. <KYKadushkin at tnk-bp.com> wrote:
> Dear all!
>
> I'm using roo 1.1 installation, and a number of high interaction
> honeypots - Windows Guests on VMWare. Honeypots emulating AD, SMS,
> Exchange, so they generate a lot of connections with each over (I think
> that's ok for this environment). Also, I have an "intruder" workstation,
> which assigned IP from different scope rather then honeypots. All ok, I
> see connections, IDS events, "intruder" IP in "Top 10 Remote Hosts" in
> Whalley.
>
> Once I migrate to roo 1.2, I see 2 to 5 connections in about 2 hours
> (some broadcasts), no IDS events, no events from "intruder", no records
> in "Top 10 Remote Hosts".
>
> Back to 1.1 - all events and records back. All parameters in 1.1 and 1.2
> are similar.
>
> Why? What's the difference can give this result?
>
> Best regards,
> KostyaK
> _______________________________________________
> Honeywall mailing list
> Honeywall at public.honeynet.org
> https://public.honeynet.org/mailman/listinfo/honeywall
>


More information about the Honeywall mailing list