Honeypots mailing list archives
RE: Registry and File Monitoring Programs for Windows Honeypots
From: Harry Hoffman <hhoffman () ip-solutions net>
Date: Sat, 30 Aug 2003 21:48:37 -0400
Has anyone used "Go Back" for this sort of thing? It's made by Roxio (I think). Anyway when I worked at Drexel Univ. I used it as a lab to infect windows machines and track the changes that virii/worms would make. I'm not sure that I would suggest it for a "high-interaction" honeypot, as it doesn't seem to have that sort of security feature (active attack) in mind. It worked pretty well for us and was quite helpful in figuring out what was changing. My .02cents, Harry Quoting Larry Seltzer <larry () larryseltzer com>: *> I don't know if it would work well in a honeypot, but there's a free PCMag *> utility *> called Inctrl (http://www.pcmag.com/article2/0,4149,70209,00.asp) that *> tracks file and *> registry changes. *> *> Larry Seltzer *> Editor *> Ziff Davis Security Supersite *> http://security.ziffdavis.com/ *> larryseltzer () ziffdavis com *> *> -----Original Message----- *> From: Hines, Eric [mailto:ehin4 () allstate com] *> Sent: Friday, August 29, 2003 6:47 PM *> To: honeypots () securityfocus com *> Subject: Registry and File Monitoring Programs for Windows Honeypots *> *> *> List: *> *> I am building a Windows honeypot and am very interested in to hear what sort *> of software *> programs some of you might be using to monitor registry and files changes. *> Sure, sure, I *> know their is regmon and filemon, but I use those more for when I'm sitting *> in front of *> the machine and purposely executing a worm to see what registry entries and *> files it *> creates or changes. Are all of you just using regmon or filemon and logging *> to a file? *> *> Eric Hines *> *> ============================================= *> Eric Hines *> Senior Intrusion Analyst *> Allstate Information Security *> --------------------------------------------- *> [e] ehin4 () allstate com *> [c] (847) 830-2883 *> [a] 1075818 () skytel com *> --------------------------------------------- *> 3075 Sanders Road *> Suite G2E *> Northbrook, IL 60062 ============================================= *> *> *> *> *> *> -- Harry Hoffman hhoffman () ip-solutions net STANDARD DISCLAIMER: ********************************************** *This universe shipped by weight, not volume.* *Some expansion may have occured in shipping.* ********************************************** ------------------------------------------------- This mail sent through IpSolutions: http://www.ip-solutions.net/
Current thread:
- Registry and File Monitoring Programs for Windows Honeypots Hines, Eric (Aug 30)
- Re: Registry and File Monitoring Programs for Windows Honeypots Michael A. Davis (Aug 30)
- RE: Registry and File Monitoring Programs for Windows Honeypots Larry Seltzer (Aug 30)
- RE: Registry and File Monitoring Programs for Windows Honeypots Harry Hoffman (Aug 30)
- RE: Registry and File Monitoring Programs for Windows Honeypots Mark E. Donaldson (Aug 31)
- Re: Registry and File Monitoring Programs for Windows Honeypots Chris Brenton (Aug 31)
- Re: Registry and File Monitoring Programs for Windows Honeypots Randy Welborn (Aug 31)
- RE: Registry and File Monitoring Programs for Windows Honeypots David Maynor (Aug 31)
- Re: Registry and File Monitoring Programs for Windows Honeypots Chris Brenton (Aug 31)
- RE: [inbox] Registry and File Monitoring Programs for Windows Honeypots Curt Purdy (Aug 31)
- <Possible follow-ups>
- Re: Registry and File Monitoring Programs for Windows Honeypots Floydman (Sep 01)