RE: Data Capture and Data Control

["Gonzalez, Albert" <albert.gonzalez () eds com>]

        If i read this right, you're seeing scans from _YOUR_
honeypots, correct? Are you generating traffic from your honeypots?
I've seen this when attempting to download various packages 
and when I hit a website, all those packets.. spp_portscan2 will
see them as a portscan orignating from my honeypots. Like Rob Stated,
a pcap or ascii dump of the packets/alerts would be helpful.

 Cheers,
 Alberto Gonzalez

-----Original Message-----
From: yoshi03j () mac com [mailto:yoshi03j () mac com]
Sent: Wednesday, March 12, 2003 5:03 PM
To: SND13571 () nifty com
Cc: honeypots () securityfocus com
Subject: Data Capture and Data Control


Hello, I 'm interested in Honeypots, especially Virtual honeynets with 
VMware. I am trying making virtual honeynet. I refer Know Your Enemy: 
Learning with VMware and modify "rc.firewall" , now starting operation 
in a lab.
Now I have some questions; first, the script rc.firewall makes 
interfaces br0 and eth0 no IP addresses and set 0.0.0.0, so our host os 
doesn't have any IP address, I cannot Data Capture for ONLY our 
honeypot. Also, I have another IDS machine in a lab network, I can 
notice some scans for our honeypot's IP address and other machine's 
honeypot. But TCPFLOW on our Honeypot's host os doesn't capture ONLY 
the IP address of the honeypot.
Please some advises for me and tell me why I need make honeypot and 
bridge no IP address. I do want to get datas of HONEYPOT.

Regards,

Yoshihiro Shibuya
(SND13571 () nifty com)
(griffinmh () yahoo co jp)