[Honeywall] Roo 1.2 connections and events (compared to 1.1)

Kadushkin, Konstantin Y. KYKadushkin at tnk-bp.com
Fri Jun 29 01:27:04 EDT 2007


Rob, thank for you answer!

After install 1.2 and see no connections, first of all I uncheck this
parameter (BPF) in Whalley. No result. 

I must see connections and events from "intruder" regardless of BPF?

Sorry, I now revert to 1.1. I'll try to install 1.2 and run ps...  
In 1.1 I see connections from honeypots, to honeypots from "intruder"
and from local subnet IPs which is not listed in "IP Address(es) of your
honeypots" fields in Whalley.

Best regards,
KostyaK
 

> -----Original Message-----
> From: honeywall-bounces at public.honeynet.org 
> [mailto:honeywall-bounces at public.honeynet.org] On Behalf Of 
> Rob McMillen
> Sent: Thursday, June 28, 2007 8:40 PM
> To: honeywall at public.honeynet.org
> Subject: Re: [Honeywall] Roo 1.2 connections and events 
> (compared to 1.1)
> 
> KostyaK,
>     If you log onto your 1.2 honeywall, and run the following command:
> 
> ps ax | grep host
> 
> You will probably notice that by default, all data capture 
> mechanisms are now using a bpf filter.  This filter is based 
> on the contents of the HwHPOT_PUBLIC_IP variable.  It should 
> only be capturing things to and from the ip addresses there.  
> It also incorporates the black and white list if they are enabled.
> 
> Can you paste the results of the ps ax | grep host command above?
> 
> In your 1.1 honeywall, were the events related to your 
> honeypots or simply machines that were on the same local subnet?
> 
> Thanks in advance,
> 
> Rob
> 
> On 6/28/07, Kadushkin, Konstantin Y. <KYKadushkin at tnk-bp.com> wrote:
> > Dear all!
> >
> > I'm using roo 1.1 installation, and a number of high interaction 
> > honeypots - Windows Guests on VMWare. Honeypots emulating AD, SMS, 
> > Exchange, so they generate a lot of connections with each over (I 
> > think that's ok for this environment). Also, I have an "intruder" 
> > workstation, which assigned IP from different scope rather then 
> > honeypots. All ok, I see connections, IDS events, "intruder" IP in 
> > "Top 10 Remote Hosts" in Whalley.
> >
> > Once I migrate to roo 1.2, I see 2 to 5 connections in 
> about 2 hours 
> > (some broadcasts), no IDS events, no events from "intruder", no 
> > records in "Top 10 Remote Hosts".
> >
> > Back to 1.1 - all events and records back. All parameters 
> in 1.1 and 
> > 1.2 are similar.
> >
> > Why? What's the difference can give this result?
> >
> > Best regards,
> > KostyaK
> > _______________________________________________
> > Honeywall mailing list
> > Honeywall at public.honeynet.org
> > https://public.honeynet.org/mailman/listinfo/honeywall
> >
> _______________________________________________
> Honeywall mailing list
> Honeywall at public.honeynet.org
> https://public.honeynet.org/mailman/listinfo/honeywall
> 


More information about the Honeywall mailing list