Honeypots mailing list archives
Re: Registry and File Monitoring Programs for Windows Honeypots
From: "Randy Welborn" <randy () securecomp net>
Date: Sun, 31 Aug 2003 14:28:59 -0400
----- Original Message ----- From: "Chris Brenton" <cbrenton () chrisbrenton org> To: <honeypots () securityfocus com> Sent: Sunday, August 31, 2003 10:49 AM Subject: Re: Registry and File Monitoring Programs for Windows Honeypots
Mark E. Donaldson wrote:Although it was made for cloning Windows systems, the W2K Resource
Kit
Utility "Sysdiff" is excellent for detecting "any" change that
occurs in a
Windows machine.There has been some cool tool ideas suggested, but I guess it really comes down to what you are using the honeypot for. If its to see what
a
specific worm or rootkit does to a system, the tools mentioned are
cool
as you can easily do a before and after snapshot (one caveat, the tool should always do an MD5 and/or SHA-1 check of the file). If its for a honeypot that will be hanging on the wire however, you typically want to see these things live as they happen. Some criteria
I
look for: Monitor file system changes Monitor new processes that get launched in memory Little to no extra software on the system to suggest its a honeypot Some way to record all this data off to a remote (secured) system
Ummm, "grr" will do all the above and is a small little utility that I've used for years with windows systems. Well written, stable, small footprint. And No, I don't know the author but Do recommend it highly. http://www.greyware.com/software/grr/index.asp
There are plenty of tools to do all this on the UNIX side. I'm not exactly sure how you would pull it off on the Windows side, but maybe Lance and others more savvy can chime in here. Cheers all, Chris
Best, ®andy
Current thread:
- Registry and File Monitoring Programs for Windows Honeypots Hines, Eric (Aug 30)
- Re: Registry and File Monitoring Programs for Windows Honeypots Michael A. Davis (Aug 30)
- RE: Registry and File Monitoring Programs for Windows Honeypots Larry Seltzer (Aug 30)
- RE: Registry and File Monitoring Programs for Windows Honeypots Harry Hoffman (Aug 30)
- RE: Registry and File Monitoring Programs for Windows Honeypots Mark E. Donaldson (Aug 31)
- Re: Registry and File Monitoring Programs for Windows Honeypots Chris Brenton (Aug 31)
- Re: Registry and File Monitoring Programs for Windows Honeypots Randy Welborn (Aug 31)
- RE: Registry and File Monitoring Programs for Windows Honeypots David Maynor (Aug 31)
- Re: Registry and File Monitoring Programs for Windows Honeypots Chris Brenton (Aug 31)
- RE: [inbox] Registry and File Monitoring Programs for Windows Honeypots Curt Purdy (Aug 31)
- <Possible follow-ups>
- Re: Registry and File Monitoring Programs for Windows Honeypots Floydman (Sep 01)