I've got a brief write up about how I integrated John's and Paul's honeyport script into an Ubuntu based OSSEC environment. It provides a way for all OSSEC agents to blacklist an IP that connects to a single honeyport on a single OSSEC agent.
The write up includes the modified honeyport script as well as custom OSSEC dissectors, rules, and configuration changes needed to set this up. If anyone is interested in reading it, let me know. -AK On Thu, Jul 12, 2012 at 1:36 PM, Chris Benedict <[email protected]> wrote: > My project is mostly working, https://github.com/chrisbdaemon/BearTrap. > > I had to remove some of the functionality, but as a neat honeyport tool it > should work alright. It just hasn't really been used much yet. > > -Chris Benedict > > On Thu, Jul 12, 2012 at 8:50 AM, Doug Burks <[email protected]> wrote: >> >> Hi Anthony, >> >> If you're planning on using OSSEC anyway, could you just have OSSEC >> monitor IPTables for any DROPs? >> >> Example from >> http://securityonion.blogspot.com/2010/02/defense-in-depth-using-ossec-and-other.html: >> >> # Configure RHEL IPTables firewall to log any dropped packets to >> /var/log/messages to be monitored by OSSEC >> iptables -I RH-Firewall-1-INPUT 11 -j LOG --log-prefix="DROP " >> >> Thanks, >> Doug >> >> On Wed, Jul 11, 2012 at 6:32 PM, anthony kasza <[email protected]> >> wrote: >> > Hi All, >> > >> > On 10/16/11 12:18 PM, Chris Benedict wrote this list about a honeyport >> > project. Does anyone know if the project took off? I'm attempting to >> > integrate the command line scripts that John and Paul talked about at >> > last year's DerbyCon (see slide 38) into OSSEC's active-response. >> > >> > -AK >> > _______________________________________________ >> > Pauldotcom mailing list >> > [email protected] >> > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom >> > Main Web Site: http://pauldotcom.com >> >> >> >> -- >> Doug Burks >> http://securityonion.blogspot.com >> _______________________________________________ >> Pauldotcom mailing list >> [email protected] >> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom >> Main Web Site: http://pauldotcom.com > > > > _______________________________________________ > Pauldotcom mailing list > [email protected] > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > Main Web Site: http://pauldotcom.com _______________________________________________ Pauldotcom mailing list [email protected] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
