[Honeywall] honeywall 1.4 system update, hflow, snort problems

jankins andyjian430074 at gmail.com
Wed Oct 12 10:41:36 CDT 2011


Hi,

I used honeywall for a while. As far as I understand(If I am wrong, please point it out), the data control mechanism is composed of iptables and snort_inline. The iptables allows all incoming traffic to Honeynet system without any security check, but almost all the outboud traffic are subject to iptables rules(outbound connection limitation...) and snort_inline signature check.

So, if want no outbound connection at all, you can use "rochmode" of honeywall. Otherwise, you can manipulate the iptables or snort_inline to tighten the security.

I think there are snort rules to minimize the ICMP flooding and SYN flooding. For snort_inline, I am not sure. 

Jankins
----- Receiving the following content ----- 
From: Sanjeev 
Receiver: Mailing list for users and developers of the Honeywall 
Time: 2011-10-11, 23:11:29
Subject: Re: [Honeywall] honeywall 1.4 system update, hflow, snort problems


If there is a problem with data control ( rc.firewall, snort) then it may effect the other non-honeynet system which we have also experimentally tested. We have executed a malware on Honeypot behind proxy gateway(Honeywall) , and it was generated the millions of ICMP packects to outside world which conclude that Honeynet may damage other non-honeynet system.

I would lile to ask:

1. What are the way so that it should effect the non-honeynet systems basically Risk-free Honeynet system
2. If I am able to redevelop the Honeywall then what are the data control mechanism should i use.

3. How to avoid DDoS(ICMP flooding,SYN flooding) attacks to non-honeynet system,.

If there can? not be remove then there is no concept to deploy the honeynet in network.

Thanks & Regards,
-Sanjeev
Honeynet-team
Cyber Security group,India


2011/10/12 Brett Ussher <breusshe at hotmail.com>

Yeah, this is an old problem, Kristen.? In order to get Snort working the way they did, the original designers had to custom roll Snort.? Also, the other modules they constructed have a dependency on the custom rolled version of Snort.? Several have tried to fix this problem in the past, but a "duct tape" fix has yet to be successful.? The real solution would require a ground up rebuild of Honeywall that is platform independent and does not require custom built installers.? But, that solution keeps coming up and promptly dying.

If you want to use Honeywall in research as a proof of concept or modify it to watch for something particular, you are good to go.? Otherwise, as a production-ready solution, until the code base is revamped ground up, you're beating your head into a brick wall.

Brett D. Ussher

"Be who you are and say what you feel, because those who mind don't matter and those who matter don't mind."
- Dr. Seuss


On 10/11/2011 10:00 AM, honeywall-request at public.honeynet.org wrote: 
Send Honeywall mailing list submissions to
	honeywall at public.honeynet.org

To subscribe or unsubscribe via the World Wide Web, visit
	https://public.honeynet.org/mailman/listinfo/honeywall
or, via email, send a message with subject or body 'help' to
	honeywall-request at public.honeynet.org

You can reach the person managing the list at
	honeywall-owner at public.honeynet.org

When replying, please edit your Subject line so it is more specific
than "Re: Contents of Honeywall digest..."


Today's Topics:

   1.  honeywall 1.4 system update, hflow, snort, problems
      (Kristen Eisenberg)


----------------------------------------------------------------------

Message: 1
Date: Mon, 10 Oct 2011 15:55:40 -0700 (PDT)
From: Kristen Eisenberg <kristen.eisenberg at yahoo.com>
Subject: [Honeywall]  honeywall 1.4 system update, hflow, snort,
	problems
To: "honeywall at public.honeynet.org" <honeywall at public.honeynet.org>
Message-ID:
	<1318287340.88099.YahooMailNeo at web122315.mail.ne1.yahoo.com>
Content-Type: text/plain; charset="iso-8859-1"

Hi,
I am doing a project about Virtual Honeynets. One of the main aims of it 
is to design and implement laptop based detection system based on 
virtual honeynet (Honeywall roo CDROM). Its main role is to analyze LAN 
traffic and alert.

One of the problems I have come across are out-of-date snort rules. 
roo-1.4 is based on snort 2.6 but rules for are not available for this 
version. 2.8.6.1 is the lowest version available (Jan 2011).

What I have done so far:
- Hwall was successfully updated using CentOS 5.5 repos,
- compiled and installed snort 2.8.6
- installed new set of rules 2.8.6.1 using oinkmaster


Kristen Eisenberg
Billige Fl?ge
Marketing GmbH
Emanuelstr. 3,
10317 Berlin
Deutschland
Telefon: +49 (33)
5310967
Email:
utebachmeier at
gmail.com
Site:
http://flug.airego.de
- Billige Fl?ge vergleichen
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://public.honeynet.org/pipermail/honeywall/attachments/20111010/13108d71/attachment-0001.html 

------------------------------

_______________________________________________
Honeywall mailing list
Honeywall at public.honeynet.org
https://public.honeynet.org/mailman/listinfo/honeywall


End of Honeywall Digest, Vol 52, Issue 1
****************************************




_______________________________________________
Honeywall mailing list
Honeywall at public.honeynet.org
https://public.honeynet.org/mailman/listinfo/honeywall





-- 
Efforts may fail,But don't Fail to make efforts.
---------
Sanjeev Kumar
Staff Scientist/ Scientist 'B'
CDAC((Erstwhile CEDTI)
Mohali,Chandigarh - 160 071
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://public.honeynet.org/pipermail/honeywall/attachments/20111012/794c37dc/attachment-0001.html 


More information about the Honeywall mailing list