Menu
▾
▴
Re: [Snort-inline-users] Bait and Switch HoneyPot
|
From: ikami <ik...@ya...> - 2006-06-11 03:07:19
|
Hi Will, Let's me try to explain better. The problem I`m having is not with the time ( 10 seconds or 600 seconds whatever). I know the time is in seconds. The problem is that BNS times function times not. I`m using that for study. It`s not in production. All the servers are in my laptop emulated in Vmware. Another exemple: For test I wrote the rule: This is to redirect web traffic to honeypot alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg: "Redirection test HTTP"; content:"GET"; nocase; bait-and-switch:600,src,172.30.0.2;) The result is the same. I try, try, try and it function but 5 ( min after or when I restart the vmware it not function more. PS: Do you know how I can see the packages stored in ip_queue? Thanks again Íkami Will Metcalf <wil...@gm...> escreveu: I don't understand what you saying to me..... That when you use 600 seconds the entries are not in iptables after an hour. Of course they are not as 600 seconds == 10 minutes. Regards, Will On 6/10/06, ikami wrote: > > I know.I was placing 600 but the result was the same. Hour functioned hour > not. And another thing, after the stipulated time DNAT and the SNAT are > extinguished? Another one, has as I can see the content of ip_queue? This is > only to know if the packages are there. > > Íkami > > > Will Metcalf escreveu: > > The timeout is in seconds > > On 6/10/06, ikami wrote: > > > > Thanks, I found it now! > > > > > > My problem now is, I configured 3 nets with 4 machines in mine computer. 2 > > internal nets and 1 external. The net was made with vmware. In the > internal > > net I have the server in production in net 172.10.0.0/24. In net > > 172.30.0.0/24, also internal, is placed the honeypot and the net > > 172.20.0.0/16 represents the external net. Establishing connection these > > nets I have a computer with 3 ethernets to make the route. I am trying to > > launch an attack of the external net in direction to the server in > > production. I make the following one: > > > > # /sbin/modprobe ip_queue > > # /sbin/depmod -a > > > > # iptables -A FORWARD -p tcp --dport 80 -j QUEUE > > > > # snort_inline -Qc ../etc/snort_inline.conf -l /var/log/snort > > > > The problem is that hour snort_inline captures the attack hour not. > > I make the attack and it function. I turn off and turn on the computer and > > it does not function more. > > > > The ataque is an exploit that I found. You can download it from > > > http://downloads.securityfocus.com/vulnerabilities/exploits/apacheslash.c > > > > The rule I write for it is: > > > > alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg: "Redirect > > test"; content:"///"; nocase; bait-and-switch:10,src,172.30.0.2;) > > > > I tried > > > > alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg: "Redirect > > test"; content:"|2F 2F 2F|"; nocase; bait-and-switch:10,src,172.30.0.2;) > > > > As I said hour it function hour it does not function. > > > > Thanks Will for all the help > > > > Íkami G. de Castilho > > > > > > Will Metcalf escreveu: > > > > > did you look at the README.INLINE in the source tarball? > > > > Regards, > > > > Will > > > > On 6/2/06, ikami wrote: > > > Somebody have the howto bns-HOWTO.pdf or knows of some document that > > > explains the functioning of the Bait_and_Switch with the Snort_Inline? I > > > haven't found any material of consultation on Internet. > > > I am trying to do the traffic redirection through for one honeypot > > > with snort_inline. > > > > > > Thank's > > > > > > Ikami > > > > > > > > > > > > > > > __________________________________________________ > > > Fale com seus amigos de graça com o novo Yahoo! Messenger > > > http://br.messenger.yahoo.com/ > > > > > > > > > _______________________________________________ > > > Snort-inline-users mailing list > > > Sno...@li... > > > > > > https://lists.sourceforge.net/lists/listinfo/snort-inline-users > > > > > > > > > > > > > > > > > > > __________________________________________________ > > Fale com seus amigos de graça com o novo Yahoo! Messenger > > http://br.messenger.yahoo.com/ > > > > > __________________________________________________ > Fale com seus amigos de graça com o novo Yahoo! Messenger > http://br.messenger.yahoo.com/ > > __________________________________________________ > Fale com seus amigos de graça com o novo Yahoo! Messenger > http://br.messenger.yahoo.com/ > > __________________________________________________ Fale com seus amigos de graça com o novo Yahoo! Messenger http://br.messenger.yahoo.com/ |