Honeypots mailing list archives
Re: DNS honeypots?
From: chr1x <chr1x () sectester net>
Date: Tue, 02 Mar 2010 20:49:14 -0600
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 This post looks pretty interesting! Let's analyze your requirement: 1. Logging malicious queries 2. Reject/Deny any possible dns attack attempt Well, from my point of view, going from the Honeypot concept which is track hackers, probably the best way that you can follow is to setup an IPS instead a Sensor. Personally, I don't see the purpose to have "Reactive" honeypot if the objective of a honeypot is to be the most open possible possible, talking about vulnerabilities on network/local services ready to receive tons of attacks. Anyway, the only way more closer to the thing that you are looking for is to setup Snort in your DNS server, configure just the rules for DNS attacks, and see if exist a way to drop the dns packets that comes from the attacker side, but probably looking here could help: http://snort-inline.sourceforge.net/ The difference between normal snort installation and snort-inline is that this 2nd take actions to the packets that snort detects, in this case, probably after you configure the DNS service, the DNS rule-detection and the snort-inline config, you can have a very nice "reactive" honeypot :D Hope this helps Jason. Best regards, Christian On 02/03/2010 05:11 p.m., Jason Lewis wrote:
Cool, this is the kind of thing I was thinking of doing. I was hoping I wouldn't have to reinvent the wheel. Thanks. On Tue, Mar 2, 2010 at 3:49 PM, Jason Ross <algorythm () gmail com> wrote:On Tue, Mar 2, 2010 at 3:00 PM, Jason Lewis <jlewis () packetnexus com> wrote:Anyone have any pointers to dns honeypots or maybe just BIND configurations that would allow logging of malicious queries without actually executing them?Below is how I've got BIND set up in Debian Linux for a similar purpose. It sends all the queries to a log file, and returns an A record (and MX) of whatever value you'd like (I used RFC1918 space for this example). Not sure it's perfect, but it works pretty well for my purposes. Cheers, -- Jason root dir: /etc/bind ======== named.conf ======== include "/etc/bind/named.conf.options"; zone "." IN { type master; file "/etc/bind/db.wildcard"; }; ======== named.conf.options ======== options { directory "/var/cache/bind"; allow-transfer { none; }; listen-on-v6 { any; }; }; logging { channel query_log { severity info; print-time yes; file "query.log" versions 5 size 50M; }; category queries { query_log; }; }; ======== db.wildcard ======== $TTL 604800 @ IN SOA localhost. root.localhost. ( 2009102201 ; serial 604800 ; refresh 86400 ; retry 2419200 ; expire 604800) ; negative cache ttl @ IN NS localhost. * IN MX 10 mail. * IN A 192.168.3.101 No virus found in this incoming message. Checked by AVG - www.avg.com Version: 9.0.733 / Virus Database: 271.1.1/2719 - Release Date: 03/02/10 13:34:00
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBAgAGBQJLjc4qAAoJEC7eoa2EW6vfzMYH/iwhpgpqO8wDJmJnVsK4cTOc 0UGXmzLN6r3egHSVnDocIWTmHE8xw1cyCa1tsbHOwLNDSB/ybT9f5xyoEkya24G4 TmtgzJLC5cODBuVqrGpVCxvNnqaHUgCmZrlHwmGQfXUFOALM91hBGm0aHG6StC4o IUG7Dsg7J+4yrrw3v4R8bu63qyngrY9XhxHd+9Q2bos2KfcSXgOrbdWL5VTKLIrE hlatnh/GPrCdxP05YXLHGLPHXsTOwr8AEpFjOgZRJQS9oFrZMHkvQ9O8SJBrgAae RsR4wzGYErhLGjgI92RuDP4f7aMv18s2MT505ZB3JqeWiqVJeuIVuFklCOHcxo8= =z+il -----END PGP SIGNATURE-----
Current thread:
- DNS honeypots? Jason Lewis (Mar 02)
- Re: DNS honeypots? Tillmann Werner (Mar 02)
- Re: DNS honeypots? Jason Ross (Mar 02)
- Re: DNS honeypots? Jason Lewis (Mar 02)
- Re: DNS honeypots? chr1x (Mar 02)
- Re: DNS honeypots? Jason Lewis (Mar 02)
- Re: DNS honeypots? Valdis . Kletnieks (Mar 02)
- Re: DNS honeypots? Jason Ross (Mar 02)
- Re: DNS honeypots? Jason Lewis (Mar 02)
- Re: DNS honeypots? Brent Huston (Mar 03)
- Re: DNS honeypots? Jason Lewis (Mar 03)
- Re: DNS honeypots? Brent Huston (Mar 03)
- Re: DNS honeypots? Jason Ross (Mar 03)
- Re: DNS honeypots? Jason Lewis (Mar 03)
- Re: DNS honeypots? Alexandre Dulaunoy (Mar 03)