baitnswitch-users — For people using or interested in using the Bait and Switch Honeypot system

[Baitnswitch-users] Bait n Switch Honeypot

[Pierre L. <pie...@gm...>]

Hello,

I don't know if the mail addresses i'm sending this message to are still
being used but they are the only ones i found.

At school, i have a cybersecurity project, which is "setting a honeypot".

With my group, we searched for many ways to do that, and we found the "Bait
N Switch honeypot" which you designed and we found it very interesting.

So we started to work on that but we have a few issues.

Here is what we've done so far :

We have 4 debian virtual machines on VirtualBox

The Router with 4 interfaces
eth0 : 10.0.0.254/24 (so the ext interface that goes outside the network)
eth1 : 192.168.0.1/32 (the production network interface)
eth2 : 192.168.0.2/32 (the honeypot network)
We activated the ipforward=1 in sysctl.conf

The machine hosting the honeypot (honeyd)
eth0 : 192.168.0.10/24 with gateway : 192.168.0.2

The production machine
eth0 : 192.168.0.10/24 with gateway : 192.168.0.1

The "outside world" (so like the internet) machine :
eth0 : 10.0.0.254

We followed some tutorials we found :

http://www.tdeig.ch/SSL_PKI_CA/dizon_M.pdf (in french)

https://www.sans.org/reading-room/whitepapers/casestudies/setting-honeypot-bait-switch-router-1465

http://documents.mx/documents/bait-and-switch-honeypot-howto.html

We downloaded the bait n switch package here :
https://sourceforge.net/projects/baitnswitch/files/baitnswitch/ (the b.2.1
version) and the snort 1.9.0 on snort's official website.

By following the tutorials, we managed to install it without errors during
the process.

But here are our problems :

When we try to ping the 192.168.0.10 address with the outside world
machine, the ping goes on the 2 machines that have this address (so
production and honeypot), we found this with tcpdump records.

I noticed that when we launch switchcore (by typing the command :
/bns/switching/switchcore), the process is killed when the ping arrives on
the router, is that normal ?

We don't understand how the switchcore module works, how does it recognize
the alert sent by snort and where is the snort alert sent ?

Did we miss anything during the configuration process ?

Thanks in advance for your future replies,

Bests Regards,

LIVET Pierre

[Baitnswitch-users] Information about your products

[ecomVia G. S. <no-...@ec...>]

Boost your sales & Start getting new buyers

Sir / Madam,

As we have been attracted to your site "The Bait
and Switch Honeypot System", we are proud to bring
you 
the option of unique kind of priceless online
presentation for your company and your products, 
that will bring you new potential buyers of your
products and multiple your sales.

With ecomVia Global System you can:

Represent your company
Introduce the activities and production of your
company in a very latest kind of online
presentation, by providing all details and
information. 
Allow potential  buyers to get a complete outlook
on your company by providing images from inside
life, production, etc.

Display all of your products
Attract daily visitors and convert them to your
new buyers. 
Just add the complete and detailed descriptions of
all your products, add the detailed and inviting
images and use the enhancements to stand out of
products of other companies.

Access up-to-date requests & offers
Check out, what the others need. There’s a high
possibility, that someone is looking for product,
you are able to produce or supply. 
Obtaining a new order has never been easier –
just few clicks away.

Get contacted with inquiries from possible buyers
Providing detailed information about your company
and products supplemented with inviting images
assures a high possibility of early contacting by
new potential buyers.

Find  supplies & partners for your company
Search in milions of suppliers and products and
find what you are looking for. 
At slovak-products.com you are able to find
anything you require for your production and even 
find new dealers and local distributors for your
products.


Ready yet to receive new orders?


Go to http://www.ecomvia.info/registration to
start now!



Thanks and best regards,

ecomVia Inc. SNP street 119, SK-90873 Velke
Levare. Slovakia Tel.: +421-910-353111

[Baitnswitch-users] Information about your products

[ecomVia G. S. <no-...@ec...>]

Boost your sales & Start getting new buyers

Sir / Madam,

As we have been attracted to your site "The Bait
and Switch Honeypot System", we are proud to bring
you 
the option of unique kind of priceless online
presentation for your company and your products, 
that will bring you new potential buyers of your
products and multiple your sales.

With ecomVia Global System you can:

Represent your company
Introduce the activities and production of your
company in a very latest kind of online
presentation, by providing all details and
information. 
Allow potential  buyers to get a complete outlook
on your company by providing images from inside
life, production, etc.

Display all of your products
Attract daily visitors and convert them to your
new buyers. 
Just add the complete and detailed descriptions of
all your products, add the detailed and inviting
images and use the enhancements to stand out of
products of other companies.

Access up-to-date requests & offers
Check out, what the others need. There’s a high
possibility, that someone is looking for product,
you are able to produce or supply. 
Obtaining a new order has never been easier –
just few clicks away.

Get contacted with inquiries from possible buyers
Providing detailed information about your company
and products supplemented with inviting images
assures a high possibility of early contacting by
new potential buyers.

Find  supplies & partners for your company
Search in milions of suppliers and products and
find what you are looking for. 
At slovak-products.com you are able to find
anything you require for your production and even 
find new dealers and local distributors for your
products.


Ready yet to receive new orders?


Go to http://www.ecomvia.info/registration to
start now!



Thanks and best regards,

ecomVia Inc. SNP street 119, SK-90873 Velke
Levare. Slovakia Tel.: +421-910-353111

[Baitnswitch-users] problem with snort when lauching Bait and Switch Honeypot

[Timur A. <tba...@ya...>]

Hello everybody!
My name is Tima from UZ-CERT. I have faced with one
problem when using Bait and Switch honeypot. 
The problem is as following:
i launch snort (snort's version is 2.8.0.2), and an
error message appears:

Parsing Rules file rules.script
ERROR: unknown output plugin: 'alert_bns'Fatal Error,
Quitting..

What am I supposed to do? Please, i need help.
Thank you beforehand.

Best redards,
Tima.


      __________________________________________________________________
Ask a question on any topic and get answers from real people. Go to Yahoo! Answers and share what you know at http://ca.answers.yahoo.com

[Baitnswitch-users] Re: Baitnswitch-users -- confirmation of subscription -- request 781435

[Nelson C. <nc...@cf...>]

does anyone have a snort config file that I can take a look at?




Nelson Carter
Network Security Admin
Lotus Notes Admin
(919)-835-2492
nc...@cf...


This email, including any documents, files, or previous email messages attached to it, has been sent from an email account of College Foundation, Inc., (CFI) and may contain confidential, proprietary, or legally privileged information belonging to CFI.  If you are not the intended recipient, any dissemination, distribution, or copying of this email or its attachments is strictly prohibited.  If you have received this email in error, please immediately notify the sender by email and destroy the original email and any attachments.

[Baitnswitch-users] FASD project: Online survey launched

[<ben...@id...>]

Dear Open Source developer

I am doing a research project on "Fun and Software Development" in which I kindly invite you to participate.
You will find the online survey under http://fasd.ethz.ch/qsf/. The questionnaire consists of 53 questions and you will need about 15 minutes to complete it.

With the FASD project (Fun and Software Development) we want to define the motivational significance of fun when software developers decide to engage in Open Source projects. What is special about our research project is that a similar survey is planned with software developers in commercial firms. This procedure allows the immediate comparison between the involved individuals and the conditions of production of these two development models. Thus we hope to obtain substantial new insights to the phenomenon of Open Source Development.


With many thanks for your participation,
Benno Luthiger


PS:
The results of the survey will be published under http://www.isu.unizh.ch/fuehrung/blprojects/FASD/.
We have set up the mailing list fa...@we... for this study. Please see http://fasd.ethz.ch/qsf/mailinglist_en.html for registration to this mailing list.

_______________________________________________________________________

Benno Luthiger
Swiss Federal Institute of Technology Zurich
8092 Zurich

Mail: benno.luthiger(at)id.ethz.ch
_______________________________________________________________________

[Baitnswitch-users] ps -e can't display switchcore

[<pen...@vi...>]

hi

i am sure that switchcore is running,but with ps -e i can't find the process ,why?
______________________________________


===================================================================

Re: [Baitnswitch-users] the scenario is ture?

[<mga...@ya...>]

first i'd like to express my heartful thanks to you.i just want to say that you are always my teacher.
 
>Sooner or later the intruder always finds out the trick. That's 
>unavoidable.

Does that defeat the purpose of honeypot either? In theory a well-built honeypot (especially means a honeynet here) can never 
be find out by attackers.
 
>Should we divert entire sessions? No. There are problems and dangers 
>with that that
>make it extremely impractical.  An example of the dangers: you 
>mistakenly redirect
>legitimate users to the honeypot and they send legitimate data to it. 
>This is very
>bad.

you mean False Positives? that's a big problem.how about switch the traffic based on different policy?i mean if the traffic 
is convinced to be evil,divert to honeypot;if it is normal absolutely,divert to production;if it is hard to make a precise 
verdict,divert to both.
 
                                                                       best regards



---------------------------------
Do You Yahoo!?
完全免费的雅虎电邮，马上注册获赠额外60兆网络存储空间

Re: [Baitnswitch-users] the scenario is ture?

[Jack W. (jofny) <xa...@vi...>]

>      is this scenario true?if yes,that is to say,to divert it we must first
> interrupt it.i am afraid that sooner or later the intruder will find out the
> trick.
>     do we have some ideas of diverting the attack smoothly from the start without
> interrupting it?

Sooner or later the intruder always finds out the trick. That's unavoidable.

Can we technically divert entire sessions? Yes, we could write something that does
that.

Should we divert entire sessions? No. There are problems and dangers with that that
make it extremely impractical.  An example of the dangers: you mistakenly redirect
legitimate users to the honeypot and they send legitimate data to it. This is very
bad.

An example of the problems: You need to mirror the service states and data states as
well as the network states on the honeypot from the production server. This is
possible but very hard. The best way to do it would be to mirror traffic to both
systems so that the state on each system was always the same. But then...you have to
mirror data as well. Which means your honeypot has the same data as your production
server - which neutralizes the benefit of having a honeypot at all.

You could write your own mangling software to mangle the data to the honeypot, but
thats a very specific solution that doesn't scale well to more than one
installation.

BNS hopes to distract people long enough that you can figure out whats going on. If
you want a honeypot where people get to sit and play around in for hours on end,
youre probably better off just running a normal honeypot. Besides, not all bad
activities involve tcp sessions. Redirecting those often works very silently.

-Jofny

[Baitnswitch-users] the scenario is ture?

[<mga...@ya...>]

          with some knowledge of bns,I always have this scenario in mind: a intruder is dedicating something malicious to the production network,then he suddenly find the communication is interrupted because a snort rule was matched and the packet is rerouted to Honeypot,so he has to redo again,and this time all the traffic is diverted to Honeypot.that is exactly what we want.
     is this scenario true?if yes,that is to say,to divert it we must first interrupt it.i am afraid that sooner or later the intruder will find out the trick.
    do we have some ideas of diverting the attack smoothly from the start without interrupting it?



---------------------------------
Do You Yahoo!?
完全免费的雅虎电邮，马上注册获赠额外60兆网络存储空间

Re: [Baitnswitch-users] what are you doing now?

[Albert G. <ele...@vi...>]

Yes we are still alive and kicking. Bait-N-Switch won't die. We are all 
extremely busy with reallife, main developer "jofny" just did a move half
way across the country, so even he needs some time to setup and get 
adjusted, but be expecting things real soon(tm)...

Cheers,
Albert Gonzalez, Violating Networks




On Mon, 17 Nov 2003, [gb2312] Great Åí wrote:

> I am very interested in bns.but the project seems to be silence for several months.if the project is still alive, and if yes what's its current status ?
>  
> pl
> best regards
> 
> 
> __________________________________________________
> Do You Yahoo!?
> Tired of spam?  Yahoo! Mail has the best spam protection around 
> http://mail.yahoo.com 

-- 
"Success comes to the person who does today, what you are thinking of doing tomorrow." 

Re: [Baitnswitch-users] what are you doing now?

[Jack W. (jofny) <xa...@vi...>]

Hi. The project hasnt been silent. Ive moved the patch from snort 1.9.x to snort
2.0.x. As I type, Im working on moving it to barnyard so we dont have to patch it
against the curent snort version all the time. I've been a bit busy (rubi-con was
the huge motivation for all the work we did early 2003), but now that I do security
full time you should see some improvements.

The things tht are on my list to do Real Soon Now are:
Open BSD support
Barnyard (in progress)
Connection tracking regarding connections out from the honeypot to some other box
other than the original source.
Better logging and user interface.

-Jack Whitsitt (jofny) / Violating Networks


> I am very interested in bns.but the project seems to be silence for several
> months.if the project is still alive, and if yes what's its current status ?
>
> pl
> best regards
>
>
> __________________________________________________
> Do You Yahoo!?
> Tired of spam?  Yahoo! Mail has the best spam protection around
> http://mail.yahoo.com

[Baitnswitch-users] what are you doing now?

[<mga...@ya...>]

I am very interested in bns.but the project seems to be silence for several months.if the project is still alive, and if yes what's its current status ?
 
pl
best regards


__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 

RE: [Baitnswitch-users] Re: Testing bait & switch; manual for swi tchcore?

[Albert G. <ago...@ne...>]

Lloyd,

NOTE: The redirection is initiated when snort sees traffic which is
triggered from a rule with 'bns_alert' within it. Bait-N-Switch and Snort
aren't systems you can just download and deploy takes sometime to configure
them correctly. 

Which snort rules are currently active with 'bns_alert" within them? This
determines what triggers switchcore. As far as timing, and when the
redirection deactivates for a specific IP - They're your settings when you
first configure switchcore. 

NOTE: 1 or 3 packets may make it through without 'switching' because of ARP.
This is a known issue, and will be fixed in the next release. 

Thanks,

Jack Whitsitt, Albert Gonzalez 
Bait N Switch Core Team 
(www.violating.us/projects/baitnswitch/)



-----Original Message-----
From: Lloyd Dizon [mailto:fra...@ya...] 
Sent: Friday, October 17, 2003 3:57 AM
To: Jack Whitsitt (jofny)
Cc: bai...@li...
Subject: [Baitnswitch-users] Re: Testing bait & switch; manual for
switchcore?

I actually got the ping example to work. Just had to enable routing via the
file /proc/sys/net/ipv4/ip_forward. 
Umm, is there a manual page available for switchcore? The first time I've
pinged  the production IP, the first echo request got received by the
production ip and no response was sent. For the subsequent echo requests,
the
paquets were forwarded directly to the honeypot with replies sent by the
honeypot. My question is whait are the exact conditions so that switchcore
will
send paquets to the production interface? What are for the paquets to get
sent
via the honeypot interface?
I tried doing some tests to find out such as
- desactivating snort;
- erasing the logs on /var/log/snort
- erasing the logs on switchcore.logs
- activating the FW with rules to les paquets pass through if0, if1, if2

When I reactivated the firewall and first ping test, the paquets were sent
to
the production with no replies being sent. For the second and following
tests,
the paquets were sent to the honeypot IP.

I'd appreciate if you could give a few minutes to answer my question. 

best,
Lloyd



--- "Jack Whitsitt (jofny)" <xa...@vi...> wrote:
> Hi. Im busy moving at the moment, but Ill get back to you shortly.
> > Hi,
> > I'm trying to setup a bait & switch, installing went fine using the
> BNS-HOWTO
> > except for one detail which I'll explain later. The problem is I can't
> access the
> > honeypot/production IP from an external machine, but I can ping the
> internal
> > gateway interfaces from outside. From the honeypot and production
machine I
> can
> > also ping the internal gateway. I'm fairly new to routing so if possible
> please
> > explain in detail what should I do. I'll try to explain some of the I
think
> > important steps I've done to configure bait & switch:
> >
> > I've configured the network like this:
> >                                     EXTERNAL
> >                                eth0:
> >                                IP: 10.1.2.92
> >                                Netmask: 255.255.0.0
> >                                GW: 10.1.2.94 for 192.168.1.0/24
> >                                GW: 10.1.0.1 for 0.0.0.0/0
> >                                        |
> >                                        |
> >                                        |
> >                                        |
> >                                       BNS
> >                                eth0:
> >                                IP: 10.1.2.94
> >                                Netmask: 255.255.0.0
> > HONEYPOT                       GW: 10.1.0.1
PRODUCTION
> eth0:
> >            eth1:                eth2:                 eth0:
IP:192.168.1.10
> > IP:192.168.1.1       IP:192.168.1.2        IP:192.168.1.10
> > NM:255.255.255.0----NM:255.255.255.255  
> NM:255.255.255.255----NM:255.255.255.0
> > GW:192.168.1.1                                                
> GW:192.168.1.2
> >
> >
> >
> > bnsroutes.bash:
> > ext_nic=eth0
> > ext_ip=10.1.2.94
> > prod_nic=eth2
> > prod_gw=192.168.1.2
> > honey_nic=eth1
> > honey_gw=192.168.1.1
> > multi_ip=192.168.1.10
> > ip rule add from 192.168.1.10/24 table my_out
> > ip rule add to 192.168.1.10/32 table production
> > ip rule add fwmark 1 table honeypot
> > ip route add 192.168.1.10/32 via 192.168.1.2 dev eth2 table production
> proto
> > static
> > ip route add 192.168.1.10/32 via 192.168.1.1 dev eth1 table honeypot
proto
> static
> > ip route add 0/0 via 10.1.2.94 dev eth0
> >
> >
> > I've executed in terminal each line of bnsroutes.bash but the last line
> returns:
> > RTNETLINK: File exists!
> > This is the only one step which didn't go well smoothly during
> installation.
> >
> > Here is the route table on BNS machine:
> > Kernel IP routing table
> > Destination     Gateway         Genmask         Flags Metric Ref    Use
> Iface
> > 10.1.0.0        *               255.255.0.0     U     0      0        0
> eth0
> > default         10.1.0.1        0.0.0.0         UG    0      0        0
> eth0
> >
> > And ifconfig output on BNS:
> > eth0      Link encap:Ethernet  HWaddr 00:01:02:0E:D8:F5
> >           inet addr:10.1.2.94  Bcast:10.1.255.255  Mask:255.255.0.0
> >
> > eth1      Link encap:Ethernet  HWaddr 00:01:02:B7:0D:2C
> >           inet addr:192.168.1.1  Bcast:192.168.1.1  Mask:255.255.255.255
> >
> > eth2      Link encap:Ethernet  HWaddr 00:01:02:0E:DA:97
> >           inet addr:192.168.1.2  Bcast:192.168.1.2  Mask:255.255.255.255
> >
> > I've tried pinging without snort running. I should be able to at least
see
> paquets
> > coming out either from the production or honeypot gateway interface on
the
> BNS
> > machine. This isn't the case. Routing doesn't work. How should I proceed
> checking
> > the routing then?
> >
> > the commande 'ip rule shows' on BNS outputs:
> > 0:      from all lookup local
> > 32763:  from all fwmark 0x1 lookup honeypot
> > 32764:  from all to 192.168.1.10 lookup production
> > 32765:  from 192.168.1.10/24 lookup my_out
> > 32766:  from all lookup main
> > 32767:  from all lookup 253
> >
> > and 'ip route show' outputs:
> > 10.1.0.0/16 dev eth0  scope link
> > default via 10.1.0.1 dev eth0
> >
> > From what I've understood switchcore does the routing to the production
> serveur.
> > Snort checks the paquets then tells switchcore if they should be sent to
> honeypot.
> > Is this right? Please correct if wrong.
> >
> > If I want the paquets sent either by the honeypot or production machine
to
> be sent
> > back to the external machine, should I configure NATting? If so how do I
do
> this
> > correctly?
> >
> >
> > On the other side, I've also had problems compiling switchcore. Using
> BNSbeta2.1
> > and glibc2.25, switchcore didn't compile and had the same compile erreur
> output as
> > posted by jmoratilla. However I've tried compiling on a machine with
> glibc2.3.2
> > with success. But I really haven't done extensive testing on this just
> sharing my
> > notes on the installation process.
> >
> > Hope I can be enlightened with your reponses.
> >
> >
> > __________________________________
> > Do you Yahoo!?
> > The New Yahoo! Shopping - with improved product search
> > http://shopping.yahoo.com
> 
> 
> 



__________________________________
Do you Yahoo!?
The New Yahoo! Shopping - with improved product search
http://shopping.yahoo.com


-------------------------------------------------------
This SF.net email is sponsored by: SF.net Giveback Program.
SourceForge.net hosts over 70,000 Open Source Projects.
See the people who have HELPED US provide better services:
Click here: http://sourceforge.net/supporters.php
_______________________________________________
Baitnswitch-users mailing list
Bai...@li...
https://lists.sourceforge.net/lists/listinfo/baitnswitch-users

[Baitnswitch-users] Re: Testing bait & switch; manual for switchcore?

[Lloyd D. <fra...@ya...>]

I actually got the ping example to work. Just had to enable routing via the
file /proc/sys/net/ipv4/ip_forward. 
Umm, is there a manual page available for switchcore? The first time I've
pinged  the production IP, the first echo request got received by the
production ip and no response was sent. For the subsequent echo requests, the
paquets were forwarded directly to the honeypot with replies sent by the
honeypot. My question is whait are the exact conditions so that switchcore will
send paquets to the production interface? What are for the paquets to get sent
via the honeypot interface?
I tried doing some tests to find out such as
- desactivating snort;
- erasing the logs on /var/log/snort
- erasing the logs on switchcore.logs
- activating the FW with rules to les paquets pass through if0, if1, if2

When I reactivated the firewall and first ping test, the paquets were sent to
the production with no replies being sent. For the second and following tests,
the paquets were sent to the honeypot IP.

I'd appreciate if you could give a few minutes to answer my question. 

best,
Lloyd



--- "Jack Whitsitt (jofny)" <xa...@vi...> wrote:
> Hi. Im busy moving at the moment, but Ill get back to you shortly.
> > Hi,
> > I'm trying to setup a bait & switch, installing went fine using the
> BNS-HOWTO
> > except for one detail which I'll explain later. The problem is I can't
> access the
> > honeypot/production IP from an external machine, but I can ping the
> internal
> > gateway interfaces from outside. From the honeypot and production machine I
> can
> > also ping the internal gateway. I'm fairly new to routing so if possible
> please
> > explain in detail what should I do. I'll try to explain some of the I think
> > important steps I've done to configure bait & switch:
> >
> > I've configured the network like this:
> >                                     EXTERNAL
> >                                eth0:
> >                                IP: 10.1.2.92
> >                                Netmask: 255.255.0.0
> >                                GW: 10.1.2.94 for 192.168.1.0/24
> >                                GW: 10.1.0.1 for 0.0.0.0/0
> >                                        |
> >                                        |
> >                                        |
> >                                        |
> >                                       BNS
> >                                eth0:
> >                                IP: 10.1.2.94
> >                                Netmask: 255.255.0.0
> > HONEYPOT                       GW: 10.1.0.1                    PRODUCTION
> eth0:
> >            eth1:                eth2:                 eth0: IP:192.168.1.10
> > IP:192.168.1.1       IP:192.168.1.2        IP:192.168.1.10
> > NM:255.255.255.0----NM:255.255.255.255  
> NM:255.255.255.255----NM:255.255.255.0
> > GW:192.168.1.1                                                
> GW:192.168.1.2
> >
> >
> >
> > bnsroutes.bash:
> > ext_nic=eth0
> > ext_ip=10.1.2.94
> > prod_nic=eth2
> > prod_gw=192.168.1.2
> > honey_nic=eth1
> > honey_gw=192.168.1.1
> > multi_ip=192.168.1.10
> > ip rule add from 192.168.1.10/24 table my_out
> > ip rule add to 192.168.1.10/32 table production
> > ip rule add fwmark 1 table honeypot
> > ip route add 192.168.1.10/32 via 192.168.1.2 dev eth2 table production
> proto
> > static
> > ip route add 192.168.1.10/32 via 192.168.1.1 dev eth1 table honeypot proto
> static
> > ip route add 0/0 via 10.1.2.94 dev eth0
> >
> >
> > I've executed in terminal each line of bnsroutes.bash but the last line
> returns:
> > RTNETLINK: File exists!
> > This is the only one step which didn't go well smoothly during
> installation.
> >
> > Here is the route table on BNS machine:
> > Kernel IP routing table
> > Destination     Gateway         Genmask         Flags Metric Ref    Use
> Iface
> > 10.1.0.0        *               255.255.0.0     U     0      0        0
> eth0
> > default         10.1.0.1        0.0.0.0         UG    0      0        0
> eth0
> >
> > And ifconfig output on BNS:
> > eth0      Link encap:Ethernet  HWaddr 00:01:02:0E:D8:F5
> >           inet addr:10.1.2.94  Bcast:10.1.255.255  Mask:255.255.0.0
> >
> > eth1      Link encap:Ethernet  HWaddr 00:01:02:B7:0D:2C
> >           inet addr:192.168.1.1  Bcast:192.168.1.1  Mask:255.255.255.255
> >
> > eth2      Link encap:Ethernet  HWaddr 00:01:02:0E:DA:97
> >           inet addr:192.168.1.2  Bcast:192.168.1.2  Mask:255.255.255.255
> >
> > I've tried pinging without snort running. I should be able to at least see
> paquets
> > coming out either from the production or honeypot gateway interface on the
> BNS
> > machine. This isn't the case. Routing doesn't work. How should I proceed
> checking
> > the routing then?
> >
> > the commande 'ip rule shows' on BNS outputs:
> > 0:      from all lookup local
> > 32763:  from all fwmark 0x1 lookup honeypot
> > 32764:  from all to 192.168.1.10 lookup production
> > 32765:  from 192.168.1.10/24 lookup my_out
> > 32766:  from all lookup main
> > 32767:  from all lookup 253
> >
> > and 'ip route show' outputs:
> > 10.1.0.0/16 dev eth0  scope link
> > default via 10.1.0.1 dev eth0
> >
> > From what I've understood switchcore does the routing to the production
> serveur.
> > Snort checks the paquets then tells switchcore if they should be sent to
> honeypot.
> > Is this right? Please correct if wrong.
> >
> > If I want the paquets sent either by the honeypot or production machine to
> be sent
> > back to the external machine, should I configure NATting? If so how do I do
> this
> > correctly?
> >
> >
> > On the other side, I've also had problems compiling switchcore. Using
> BNSbeta2.1
> > and glibc2.25, switchcore didn't compile and had the same compile erreur
> output as
> > posted by jmoratilla. However I've tried compiling on a machine with
> glibc2.3.2
> > with success. But I really haven't done extensive testing on this just
> sharing my
> > notes on the installation process.
> >
> > Hope I can be enlightened with your reponses.
> >
> >
> > __________________________________
> > Do you Yahoo!?
> > The New Yahoo! Shopping - with improved product search
> > http://shopping.yahoo.com
> 
> 
> 



__________________________________
Do you Yahoo!?
The New Yahoo! Shopping - with improved product search
http://shopping.yahoo.com

[Baitnswitch-users] Testing bait & switch

[Lloyd D. <fra...@ya...>]

Hi,
I'm trying to setup a bait & switch, installing went fine using the BNS-HOWTO
except for one detail which I'll explain later. The problem is I can't access
the honeypot/production IP from an external machine, but I can ping the
internal gateway interfaces from outside. From the honeypot and production
machine I can also ping the internal gateway. I'm fairly new to routing so if
possible please explain in detail what should I do. I'll try to explain some of
the I think important steps I've done to configure bait & switch:

I've configured the network like this:
                                    EXTERNAL    
                               eth0:
                               IP: 10.1.2.92
                               Netmask: 255.255.0.0
                               GW: 10.1.2.94 for 192.168.1.0/24
                               GW: 10.1.0.1 for 0.0.0.0/0
                                       |
                                       |
                                       |
                                       |
                                      BNS
                               eth0:
                               IP: 10.1.2.94
                               Netmask: 255.255.0.0
HONEYPOT                       GW: 10.1.0.1                    PRODUCTION
eth0:               eth1:                eth2:                 eth0:
IP:192.168.1.10     IP:192.168.1.1       IP:192.168.1.2        IP:192.168.1.10
NM:255.255.255.0----NM:255.255.255.255   NM:255.255.255.255----NM:255.255.255.0
GW:192.168.1.1                                                 GW:192.168.1.2



bnsroutes.bash:
ext_nic=eth0
ext_ip=10.1.2.94
prod_nic=eth2
prod_gw=192.168.1.2
honey_nic=eth1
honey_gw=192.168.1.1
multi_ip=192.168.1.10
ip rule add from 192.168.1.10/24 table my_out
ip rule add to 192.168.1.10/32 table production
ip rule add fwmark 1 table honeypot
ip route add 192.168.1.10/32 via 192.168.1.2 dev eth2 table production proto
static
ip route add 192.168.1.10/32 via 192.168.1.1 dev eth1 table honeypot proto
static
ip route add 0/0 via 10.1.2.94 dev eth0


I've executed in terminal each line of bnsroutes.bash but the last line
returns: RTNETLINK: File exists!
This is the only one step which didn't go well smoothly during installation.

Here is the route table on BNS machine:
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
10.1.0.0        *               255.255.0.0     U     0      0        0 eth0
default         10.1.0.1        0.0.0.0         UG    0      0        0 eth0

And ifconfig output on BNS:
eth0      Link encap:Ethernet  HWaddr 00:01:02:0E:D8:F5
          inet addr:10.1.2.94  Bcast:10.1.255.255  Mask:255.255.0.0

eth1      Link encap:Ethernet  HWaddr 00:01:02:B7:0D:2C
          inet addr:192.168.1.1  Bcast:192.168.1.1  Mask:255.255.255.255

eth2      Link encap:Ethernet  HWaddr 00:01:02:0E:DA:97
          inet addr:192.168.1.2  Bcast:192.168.1.2  Mask:255.255.255.255

I've tried pinging without snort running. I should be able to at least see
paquets coming out either from the production or honeypot gateway interface on
the BNS machine. This isn't the case. Routing doesn't work. How should I
proceed checking the routing then? 

the commande 'ip rule shows' on BNS outputs:
0:      from all lookup local
32763:  from all fwmark 0x1 lookup honeypot
32764:  from all to 192.168.1.10 lookup production
32765:  from 192.168.1.10/24 lookup my_out
32766:  from all lookup main
32767:  from all lookup 253

and 'ip route show' outputs:
10.1.0.0/16 dev eth0  scope link
default via 10.1.0.1 dev eth0

From what I've understood switchcore does the routing to the production
serveur.  Snort checks the paquets then tells switchcore if they should be sent
to honeypot. Is this right? Please correct if wrong.

If I want the paquets sent either by the honeypot or production machine to be
sent back to the external machine, should I configure NATting? If so how do I
do this correctly?


On the other side, I've also had problems compiling switchcore. Using
BNSbeta2.1 and glibc2.25, switchcore didn't compile and had the same compile
erreur output as posted by jmoratilla. However I've tried compiling on a
machine with glibc2.3.2 with success. But I really haven't done extensive
testing on this just sharing my notes on the installation process.

Hope I can be enlightened with your reponses.


__________________________________
Do you Yahoo!?
The New Yahoo! Shopping - with improved product search
http://shopping.yahoo.com

Re: [Baitnswitch-users] Re: Baitnswitch-users digest, Vol 1 #3 - 3 msgs

[Jack W. (jofny) <xa...@vi...>]

Ok, I just compiled this on a Debian box with no issues at all - do you have
kernel headers installed? Do a search for pthread.h


----- Original Message ----- 
From: "Jack Whitsitt (jofny)" <xa...@vi...>
To: "Jorge J. Moratilla Porras" <jmo...@e-...>;
<bai...@li...>
Sent: Saturday, September 27, 2003 4:32 PM
Subject: Re: [Baitnswitch-users] Re: Baitnswitch-users digest, Vol 1 #3 - 3
msgs


> Sorry it's taken me so long to get back to you - Im moving and switching
> jobs atm.  I just went through the package you have again and everything
> worked fine. Unless you've come up with a resolution, I'll look at it
closer
> today and get back to you tonight.
> ----- Original Message ----- 
> From: "Jorge J. Moratilla Porras" <jmo...@e-...>
> To: <bai...@li...>
> Sent: Monday, September 15, 2003 5:38 PM
> Subject: [Baitnswitch-users] Re: Baitnswitch-users digest, Vol 1 #3 - 3
msgs
>
>
> > Hi again.
> >
> > About the questions:
> >
> > 1. Are you compiling it on Linux?
> >
> > Yes. I'm using a Debian Woody r0 with kernel 2.4.21
> >
> > 2. Are you using the patch/setup system we included in the tarball?
> >
> > I followed the published steps to configure the baitandswitch
> >
> > 3. And Are you using that system with snort 2.x or 1.x?
> >
> > I'm using snort 1.9.1 as i read the last update you did in the website.
> >
> > 4. And are you using the latest tarball?
> >
> > I suppose so. There is only one right now ( beta-1.3 ).
> >
> > I found some problems when i was running bns_conf.bash. For example, i
> found that there was an extra cd .. in function snort_patch that fails
when
> patching the snort code.
> >
> > So when i tried to compile the switchcore.c with libpthreads i found
> several errors related with the "start = time (0);" line in switchcore.c.
> >
> > I moved that line several lines below, just after the DAEMONIZE ifdef
and
> i was able to compile it without errors, but when i run it i got a
> segmentation fault. I think is related with the position of this line, but
> i'm not an experimented programmer and i got struck with the code.
> >
> > Can you help me on this? Thanks in Advance
> >
> > Jorge Moratilla
> >
> >
> >
> >
> >
> >
> > -------------------------------------------------------
> > This sf.net email is sponsored by:ThinkGeek
> > Welcome to geek heaven.
> > http://thinkgeek.com/sf
> > _______________________________________________
> > Baitnswitch-users mailing list
> > Bai...@li...
> > https://lists.sourceforge.net/lists/listinfo/baitnswitch-users
> >
>
>
>
> -------------------------------------------------------
> This sf.net email is sponsored by:ThinkGeek
> Welcome to geek heaven.
> http://thinkgeek.com/sf
> _______________________________________________
> Baitnswitch-users mailing list
> Bai...@li...
> https://lists.sourceforge.net/lists/listinfo/baitnswitch-users
>

Re: [Baitnswitch-users] Re: Baitnswitch-users digest, Vol 1 #3 - 3 msgs

[Jack W. (jofny) <xa...@vi...>]

Sorry it's taken me so long to get back to you - Im moving and switching
jobs atm.  I just went through the package you have again and everything
worked fine. Unless you've come up with a resolution, I'll look at it closer
today and get back to you tonight.
----- Original Message ----- 
From: "Jorge J. Moratilla Porras" <jmo...@e-...>
To: <bai...@li...>
Sent: Monday, September 15, 2003 5:38 PM
Subject: [Baitnswitch-users] Re: Baitnswitch-users digest, Vol 1 #3 - 3 msgs


> Hi again.
>
> About the questions:
>
> 1. Are you compiling it on Linux?
>
> Yes. I'm using a Debian Woody r0 with kernel 2.4.21
>
> 2. Are you using the patch/setup system we included in the tarball?
>
> I followed the published steps to configure the baitandswitch
>
> 3. And Are you using that system with snort 2.x or 1.x?
>
> I'm using snort 1.9.1 as i read the last update you did in the website.
>
> 4. And are you using the latest tarball?
>
> I suppose so. There is only one right now ( beta-1.3 ).
>
> I found some problems when i was running bns_conf.bash. For example, i
found that there was an extra cd .. in function snort_patch that fails when
patching the snort code.
>
> So when i tried to compile the switchcore.c with libpthreads i found
several errors related with the "start = time (0);" line in switchcore.c.
>
> I moved that line several lines below, just after the DAEMONIZE ifdef and
i was able to compile it without errors, but when i run it i got a
segmentation fault. I think is related with the position of this line, but
i'm not an experimented programmer and i got struck with the code.
>
> Can you help me on this? Thanks in Advance
>
> Jorge Moratilla
>
>
>
>
>
>
> -------------------------------------------------------
> This sf.net email is sponsored by:ThinkGeek
> Welcome to geek heaven.
> http://thinkgeek.com/sf
> _______________________________________________
> Baitnswitch-users mailing list
> Bai...@li...
> https://lists.sourceforge.net/lists/listinfo/baitnswitch-users
>

[Baitnswitch-users] Re: Baitnswitch-users digest, Vol 1 #3 - 3 msgs

[Jorge J. M. P. <jmo...@e-...>]

Hi again.

About the questions:

1. Are you compiling it on Linux?

Yes. I'm using a Debian Woody r0 with kernel 2.4.21

2. Are you using the patch/setup system we included in the tarball?

I followed the published steps to configure the baitandswitch 

3. And Are you using that system with snort 2.x or 1.x?

I'm using snort 1.9.1 as i read the last update you did in the website.

4. And are you using the latest tarball?

I suppose so. There is only one right now ( beta-1.3 ).

I found some problems when i was running bns_conf.bash. For example, i found that there was an extra cd .. in function snort_patch that fails when patching the snort code.

So when i tried to compile the switchcore.c with libpthreads i found several errors related with the "start = time (0);" line in switchcore.c.

I moved that line several lines below, just after the DAEMONIZE ifdef and i was able to compile it without errors, but when i run it i got a segmentation fault. I think is related with the position of this line, but  i'm not an experimented programmer and i got struck with the code.

Can you help me on this? Thanks in Advance

Jorge Moratilla

Re: [Baitnswitch-users] I got a problem while compiling switchcore.c

[Jack W. (jofny) <xa...@vi...>]

And are you using the latest tarball?

----- Original Message ----- 
From: "Jorge J. Moratilla Porras" <jmo...@e-...>
To: <Bai...@li...>
Sent: Sunday, September 14, 2003 12:23 PM
Subject: [Baitnswitch-users] I got a problem while compiling switchcore.c


> I got several errors about pthreads library. I'm adding the output. What 
> is wrong?
> 
> I changed line  start = time(0);
> 
> from its original position to the line after the #ifdef statement and i 
> was successful with compiling, but when i run it i got a segmentation 
> fault. Now i'm trying to understand the code to see if i can debug more 
> errors, but i'd appreciate any kind of help in this task. I'm not a C 
> programmer.
> 
> Thanks In Advance
> 
> 
> 
> bait@baitnswitch:~/soft/bns/switching$ gcc -lpthreads -o switchcore 
> switchcore.c
> switchcore.c: In function `main':
> switchcore.c:686: parse error before `unmark_t'
> switchcore.c:701: `pid' undeclared (first use in this function)
> switchcore.c:701: (Each undeclared identifier is reported only once
> switchcore.c:701: for each function it appears in.)
> switchcore.c:715: `sid' undeclared (first use in this function)
> switchcore.c:740: `ret' undeclared (first use in this function)
> switchcore.c:740: `unmark_t' undeclared (first use in this function)
> switchcore.c:751: `lock' undeclared (first use in this function)
> switchcore.c:753: `cv' undeclared (first use in this function)
> switchcore.c:759: `ret2' undeclared (first use in this function)
> switchcore.c:759: `log_alert_t' undeclared (first use in this function)
> bait@baitnswitch:~/soft/bns/switching$
> 
> 
> 
> 
> -------------------------------------------------------
> This sf.net email is sponsored by:ThinkGeek
> Welcome to geek heaven.
> http://thinkgeek.com/sf
> _______________________________________________
> Baitnswitch-users mailing list
> Bai...@li...
> https://lists.sourceforge.net/lists/listinfo/baitnswitch-users
> 

Fw: [Baitnswitch-users] I got a problem while compiling switchcore.c

[Jack W. (jofny) <xa...@vi...>]

Mean to send this back to the list, too
----- Original Message ----- 
From: "Jack Whitsitt (jofny)" <xa...@vi...>
To: "Jorge J. Moratilla Porras" <jmo...@e-...>
Cc: <ago...@ne...>
Sent: Sunday, September 14, 2003 1:49 PM
Subject: Re: [Baitnswitch-users] I got a problem while compiling
switchcore.c


> Three quick questions:
>
> Are you compiling it on Linux?
> Are you using the patch/setup system we included in the tarball?
> And Are you using that system with snort 2.x or 1.x?
>
> -jofny
>
> ----- Original Message ----- 
> From: "Jorge J. Moratilla Porras" <jmo...@e-...>
> To: <Bai...@li...>
> Sent: Sunday, September 14, 2003 12:23 PM
> Subject: [Baitnswitch-users] I got a problem while compiling switchcore.c
>
>
> > I got several errors about pthreads library. I'm adding the output. What
> > is wrong?
> >
> > I changed line  start = time(0);
> >
> > from its original position to the line after the #ifdef statement and i
> > was successful with compiling, but when i run it i got a segmentation
> > fault. Now i'm trying to understand the code to see if i can debug more
> > errors, but i'd appreciate any kind of help in this task. I'm not a C
> > programmer.
> >
> > Thanks In Advance
> >
> >
> >
> > bait@baitnswitch:~/soft/bns/switching$ gcc -lpthreads -o switchcore
> > switchcore.c
> > switchcore.c: In function `main':
> > switchcore.c:686: parse error before `unmark_t'
> > switchcore.c:701: `pid' undeclared (first use in this function)
> > switchcore.c:701: (Each undeclared identifier is reported only once
> > switchcore.c:701: for each function it appears in.)
> > switchcore.c:715: `sid' undeclared (first use in this function)
> > switchcore.c:740: `ret' undeclared (first use in this function)
> > switchcore.c:740: `unmark_t' undeclared (first use in this function)
> > switchcore.c:751: `lock' undeclared (first use in this function)
> > switchcore.c:753: `cv' undeclared (first use in this function)
> > switchcore.c:759: `ret2' undeclared (first use in this function)
> > switchcore.c:759: `log_alert_t' undeclared (first use in this function)
> > bait@baitnswitch:~/soft/bns/switching$
> >
> >
> >
> >
> > -------------------------------------------------------
> > This sf.net email is sponsored by:ThinkGeek
> > Welcome to geek heaven.
> > http://thinkgeek.com/sf
> > _______________________________________________
> > Baitnswitch-users mailing list
> > Bai...@li...
> > https://lists.sourceforge.net/lists/listinfo/baitnswitch-users
> >

[Baitnswitch-users] I got a problem while compiling switchcore.c

[Jorge J. M. P. <jmo...@e-...>]

I got several errors about pthreads library. I'm adding the output. What 
is wrong?

I changed line  start = time(0);

from its original position to the line after the #ifdef statement and i 
was successful with compiling, but when i run it i got a segmentation 
fault. Now i'm trying to understand the code to see if i can debug more 
errors, but i'd appreciate any kind of help in this task. I'm not a C 
programmer.

Thanks In Advance



bait@baitnswitch:~/soft/bns/switching$ gcc -lpthreads -o switchcore 
switchcore.c
switchcore.c: In function `main':
switchcore.c:686: parse error before `unmark_t'
switchcore.c:701: `pid' undeclared (first use in this function)
switchcore.c:701: (Each undeclared identifier is reported only once
switchcore.c:701: for each function it appears in.)
switchcore.c:715: `sid' undeclared (first use in this function)
switchcore.c:740: `ret' undeclared (first use in this function)
switchcore.c:740: `unmark_t' undeclared (first use in this function)
switchcore.c:751: `lock' undeclared (first use in this function)
switchcore.c:753: `cv' undeclared (first use in this function)
switchcore.c:759: `ret2' undeclared (first use in this function)
switchcore.c:759: `log_alert_t' undeclared (first use in this function)
bait@baitnswitch:~/soft/bns/switching$

Re: [Baitnswitch-users] Need Help !!!

[Jack W. <xa...@vi...>]

> Hi there,
> i tried to run baitnswitch, i built the routing rules and followed the 
> instruction in the documentation every thing is ok and 
> no error messages ..
> but when i tried to ping the honeypot or the production server from any 
> external PC there was no responce..
> also i couldn't ping the gateway of the honeypot & production server from 
> the machine itself.(Directly connected interfaces)
> so could any one help me please???!!!!! 
>                           Regards.

First question: if routing turned on within linux?

Second Question: You don't have any firewall rules that would prevent 
routing?

Third Question: Is the IP the same for both your honeypot and your 
production server? It should be. You cant ping the production machine OR 
your honeypot. You can only access one at a time. If you havent tripped 
bait and switch, you should never be able to ping the honeypot and vice 
versa..since theyre supposed to have the same IP's

Fourth Question: Is the IP you use for your prod/honey server routable? If 
it's not, you need to make sure you've correctly set up your NAT rules in 
iptables.

-Jack

Re: [Baitnswitch-users] (no subject)

[Jack W. <xa...@vi...>]

> i am trying to setup a honeypot using the bait&switch program to route 
> traffic between the production server and the honeypot,i read the readme 
> file comming with the bait&switch but it depends on the vmnet s/w which i 
> don't know more about.

You do not need vmware. We, for testing purposes, used to use vmware as 
our honeypot. You can also use UML Linux, or a standalone real linux box 
as your honeypot. It really doesn't matter from a routing or bait and 
switch standpoint.  

> this is  the content of the file named bnsroute.bash contains the public and 
> private interfaces configuration:
> ----------------------------------------------------------------------------------------------------------------------------------
> >public interface:      eth0       x.x.25.110/24
> >private interface:     eth1      192.168.2.1/32
> >private interface:     eth2      192.168.2.2/32
> >production Server:   Connected to      eth1         IP 
> >Address:192.168.2.10/24
> >Gateway: 192.168.2.1
> >Honey-pot :            Connected to      eth2         IP 
> >Address:192.168.2.10/24        Gateway:192.168.2.2
> -------------------------------------------------------------------------------------------------------------------------------------

Your Prod and Honeypot IP's should not be /24. They should have the same 
IP - 192.168.2.10/32

You shouldn't have to (and it might not even work) use CIDR notation when 
running the bait and switch configuration program.

> from any external pc i can ping the three interfaces but i can't ping 
> neither the production Server nor the Honey-pot(192.168.2.10/24),also i 
> can't ping the Gateway from both the production Server or the
> Honey-pot.
> so when testing my Honey-pot using ICMP packets from any PC there is no 
> reply from the hony-pot.
> i think that i have a routing problem...so if you please if you can help me  
> i'll be so so grateful.
>             your fast responce is highly appreciated..
> 

Go ahead and send me your ifconfig output on the bait and switch router as 
well as it's routing ables and Ill take a look at them.

Also: Make sure that routing is turned on in the first place on the linux 
box.


-Jack

[Baitnswitch-users] Need Help !!!

[Mohammed S. S. <mos...@it...>]

Hi there,
i tried to run baitnswitch, i built the routing rules and followed the =
instruction in the documentation every thing is ok and=20
no error messages ..
but when i tried to ping the honeypot or the production server from any =
external PC there was no responce..
also i couldn't ping the gateway of the honeypot & production server =
from the machine itself.(Directly connected interfaces)
so could any one help me please???!!!!!=20
                          Regards.