Honeypots mailing list archives
Re: logging facility
From: Ryan Barnett <RCBarnett () hushmail com>
Date: 29 Aug 2003 11:50:31 -0000
In-Reply-To: <1062109619.3f4e81b381df4 () webmail visi com>
From: urbn () visi com What if someone compromised your honeypot, and then monitored any SSL
traffic
that was decrypted? Common sense would tell me to keep these logs (the decrypted SSL traffic) on a separate system, but then why even have your honeypot decrypt it first. Better off just sending the encrypted packets
to the
system that will be logging it anyways. Or am I missing something here?
The key element here is that blackhats are including encryption communication tools as part of their rootkits. This can range from modified ssh daemons to SSL enabled web servers to custom encryption tools utilizing seldomly used protocols (see the Honeynet Project's SoTM Reverse Challenge and SoTM Scan 22 - http://www.honeynet.org/scans/scan22/). If the attackers would be nice enough to use our honeypot services, sush as ssh, then we could just log the encryped data to a remote host. This would work because we would have the appropriate decryption keys for the data. Unfortunately, blackhats are not so kind... Since they will most likely use their own tools, we are forced to log the decrypted data at the host level rather than the network level. With tools such as sebek or other kernel keyloggers, we can capture all of the data once it has passed through the blackhats decryption algorithms - and then send it off to a remote host for safe keeping. Hope this helps. -Ryan
Current thread:
- Re: logging facility, (continued)
- Re: logging facility KeyFocus (Aug 28)
- Re: logging facility Floydman (Aug 28)
- Re: logging facility Floydman (Aug 28)
- Re: logging facility KeyFocus (Aug 28)
- Re: logging facility Motayyam79 (Aug 28)
- Re: logging facility KeyFocus (Aug 28)
- Re: logging facility urbn (Aug 29)
- Re: logging facility KeyFocus (Aug 29)
- Re: logging facility KeyFocus (Aug 28)
- Re: logging facility Valdis . Kletnieks (Aug 28)
- Re: logging facility Edward Balas (Aug 29)
- Re: logging facility Peter Bates (Aug 28)
- Re: logging facility Ryan Barnett (Aug 29)