-
Our third Honeynet infrastructure is now in place. A second Generation
Honeynet with Honeypots Linux (Redhat, Debian), Solaris and WINDOWS
XP/2000 servers. Data Capture and Data Control is implemented on a Redhat
Linux 7.3 with the bridging-firewalling patch applied. The Honeynet
Project's
IPTables script is used to limit the outgoing connections. Well known attacks originating from the Honeynet are taken down with the help of Snort-inline [http://snort-inline.sourceforge.net/].Keystrokes are logged in a remote Syslog server, through the use of sebek2 [http://www.honeynet.org/tools/sebek/] . Local syslogd servers have been modified to read a different configuration file in order to fool the attacker. The standard conf file named /etc/syslog.conf has been left in its default location. Additional measures have been taken to protect the remote syslogd server by applying one way routing to the server and ACL.
For bandwith limitation rc.firewall has been modified with tc. Tests by Alliance members are positive.
A network diagram of our honeynet can be found here.
Details of our deployment is shown in the recent book by The Honeynet Project/Honeynet Research Alliance , chapter 5 [www.honeynet.org/book] -
A new deployment based on the honeywall CDROM (eeyore 0.68 rc7) has been developed [http://www.honeynet.org/tools/cdrom/] and integrated to our Data management framework.
-
A wiki system has been deployed to help track changes in Honeynets deployed, configuration of Honeypots and most important to store all analysis reports for cross-reference and collaboration work and knowledge sharing
-
A postNuke system has been develeped for Knowledge communication among lab members which is created in the lab or transfered from the Alliance.
