[Honeywall] Roo 1.2 connections and events (compared to 1.1)
Kadushkin, Konstantin Y.
KYKadushkin at tnk-bp.com
Fri Jun 29 01:27:04 EDT 2007
Rob, thank for you answer!
After install 1.2 and see no connections, first of all I uncheck this
parameter (BPF) in Whalley. No result.
I must see connections and events from "intruder" regardless of BPF?
Sorry, I now revert to 1.1. I'll try to install 1.2 and run ps...
In 1.1 I see connections from honeypots, to honeypots from "intruder"
and from local subnet IPs which is not listed in "IP Address(es) of your
honeypots" fields in Whalley.
> -----Original Message-----
> From: honeywall-bounces at public.honeynet.org
> [mailto:honeywall-bounces at public.honeynet.org] On Behalf Of
> Rob McMillen
> Sent: Thursday, June 28, 2007 8:40 PM
> To: honeywall at public.honeynet.org
> Subject: Re: [Honeywall] Roo 1.2 connections and events
> (compared to 1.1)
> If you log onto your 1.2 honeywall, and run the following command:
> ps ax | grep host
> You will probably notice that by default, all data capture
> mechanisms are now using a bpf filter. This filter is based
> on the contents of the HwHPOT_PUBLIC_IP variable. It should
> only be capturing things to and from the ip addresses there.
> It also incorporates the black and white list if they are enabled.
> Can you paste the results of the ps ax | grep host command above?
> In your 1.1 honeywall, were the events related to your
> honeypots or simply machines that were on the same local subnet?
> Thanks in advance,
> On 6/28/07, Kadushkin, Konstantin Y. <KYKadushkin at tnk-bp.com> wrote:
> > Dear all!
> > I'm using roo 1.1 installation, and a number of high interaction
> > honeypots - Windows Guests on VMWare. Honeypots emulating AD, SMS,
> > Exchange, so they generate a lot of connections with each over (I
> > think that's ok for this environment). Also, I have an "intruder"
> > workstation, which assigned IP from different scope rather then
> > honeypots. All ok, I see connections, IDS events, "intruder" IP in
> > "Top 10 Remote Hosts" in Whalley.
> > Once I migrate to roo 1.2, I see 2 to 5 connections in
> about 2 hours
> > (some broadcasts), no IDS events, no events from "intruder", no
> > records in "Top 10 Remote Hosts".
> > Back to 1.1 - all events and records back. All parameters
> in 1.1 and
> > 1.2 are similar.
> > Why? What's the difference can give this result?
> > Best regards,
> > KostyaK
> > _______________________________________________
> > Honeywall mailing list
> > Honeywall at public.honeynet.org
> > https://public.honeynet.org/mailman/listinfo/honeywall
> Honeywall mailing list
> Honeywall at public.honeynet.org
More information about the Honeywall