Re: portable honeyport tool waiting for a name

[Lester Nichols <ln61775 () gmail com>]

Chris,

What about the latin term for honey...Mel Mellis...as the name....

----------
Lester E. Nichols III, MSIA, CISSP, GCED, GSEC,
MCSA, CompTIA Security+
ln61775 () gmail com

http://www.linkedin.com/in/lnichols

Information Systems Security Association - General Member
Information Systems Audit and Control Association - Member
A proud member of the Federal Bureau of Investigation’s InfraGard

This E-mail is covered by the Electronic Communications Privacy Act, 18
U.S.A. §§ 2510-2521 and is legally privileged. This information is
confidential information and is intended only for the use of the individual
or entity named above. If the reader of this message is not the intended
recipient, please contact Lester Nichols immediately. You are hereby
notified that any dissemination, distribution or copying of this
communication is strictly prohibited.


On Sun, Oct 16, 2011 at 12:18 PM, Chris Benedict <chrisbdaemon () gmail com>wrote:

> After listening to the pdc guys talk about "honeyports" on the pdc podcast
> I decided to run with the idea a bit further.  I'm not sure if this has been
> done yet or not, but I've written a program in Ruby to implement honeyports
> with some extra features thrown into the mix.  For info on honeyports check
> out john strand's tech segments on episodes 203 and 204 of the pdc podcast.
>
> You can use a raw tcp listener (netcat-style) to trigger blacklisting or
> you can write modules to emulate a ftp server or web server or whatever that
> can, for instance, give a banner and version info but blacklist on attempted
> logins.  When a host trips one of the alarms it broadcasts a signed udp
> alert to all the other hosts on the lan so they can act on it also.  Alerts
> can be handled by different modules too, so far I have only written a
> commandline module that simply executes a command with an ip address as an
> argument that you can use to insert an ip into a blacklist table in pf for
> instance.  Something like a syslog or mysql module wouldn't be too difficult
> to write.
>
> As far as making it secure goes, it has some more work to be done.
>  Broadcasted alerts are cryptographically signed and verified but I need to
> implement some stuff to prevent replay attacks and I need to add in
> whitelisting and thresholding to make it more difficult to use as a weapon
> against the user's own network.
>
> So, I've tried to make the code all very modular so its functionality can
> be tweaked or extended pretty well (the sky should be the limit).  The
> end-goal is to come up with some code that you can drop onto every box on a
> lan that can run a ruby interpreter (jruby for instance).  It would make the
> entire network go dark once an attacker starts grabbing banners or
> connecting to ports.
>
> This is going to be my first project to be released and it doesn't have a
> name yet.  So, if anyone has any ideas for a name send them my way.  Once I
> have it named I will put it in a public repo on github with a BSD license
> for anyone to get to and contribute.
>
> -Chris Benedict
>
> _______________________________________________
> Pauldotcom mailing list
> Pauldotcom () mail pauldotcom com
> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
> Main Web Site: http://pauldotcom.com
_______________________________________________
Pauldotcom mailing list
Pauldotcom () mail pauldotcom com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com