[Honeywall] Newbie questions

Jefferson, Shawn Shawn.Jefferson at bcferries.com
Thu Jul 10 18:47:30 EDT 2008


I'm new to Honeywall, and have setup a system using VMWare, and
everything seems to be working well, except I have a couple of questions
that don't seem to be covered by the manuals and faqs (that's I've been
able to find anyway).  I'm using Honeywall roo 1.4.

1.	Is there a way to tell swatch (or whatever it's using to relay
email out), which SMTP server to use?  I'm in a situation where I need
to send it to a specific email host.

2.	Sebek seems to be working, at least I am getting process
information from my honeypots, but should you be able to see keystrokes
in Walleye somewhere?  I did notice that the Sebek packets show up as a
"flow" that I can drill down into the packet decode and see the
keystrokes there in the raw packets.  Is this the only way to see them
in Walleye?

3.	I performed a test on my Honeypot, using TFTP to try to download
a file from outside the honeynet.  I think that Snort in-line blocked
this out-bound connection though.  In Walleye, I see a "< TFTP Get, -,
1-" next to the flow.  What does the dash and 1- mean?  Does the default
configuration of Honeywall roo block outgoing TFTP GET sessions?  If so,
might you want to allow them to see what sorts of tools an attacker will
try to bring down to your Honeypot?  Maybe the TFTP get wasn't blocked,
but was some sort of problem with my TFTP server... is there a way to
tell that Snort blocked it by the snort decode in Walleye?  (I know...
I've never used Snort before, and the decode didn't seem obvious that it
blocked this session!)

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://public.honeynet.org/pipermail/honeywall/attachments/20080710/18530f19/attachment.html

More information about the Honeywall mailing list