Re: attack redirection

From: Daniel B. Cid (danielcid_at_yahoo.com.br)
Date: 05/20/03

  • Next message: Allan Schon: "RE: Password Cracking" 
    To: security-basics@securityfocus.com
Date: 20 May 2003 10:46:36 -0400

    You can use Snort+Guardian to do this work for you. You only
    need to add in the "guardian_block" script your redirection rule (using
    iptables, ipf, pf, route...).

    []`s

    Daniel B. Cid
    daniel@underlinux.com.br

    On Sat, 2003-05-17 at 13:36, Andy Cuff [talisker] wrote:
    > Hi Andrew
    > What I suspect you are looking for is "bait n switch" check out
    > http://violating.us/projects/baitnswitch/
    > <snip>
    > The Bait and Switch Honeypot is a multifaceted attempt to take honeypots out
    > of the shadows of the network security model and to make them an active
    > participant in system defense. To do this, we are creating a system that
    > reacts to hostile intrusion attempts by redirecting all hostile traffic to a
    > honeypot that is partially mirroring your production system. Once switched,
    > the would-be hacker is unknowingly attacking your honeypot instead of the
    > real data and your clients and/or users still safely accessing the real
    > system. Life goes on, your data is safe, and you are learning about the bad
    > guy as an added benefit. The system is based on snort, linux's iproute2,
    > netfilter, and custom code for now. We plan on adding additional support in
    > the future if possible.
    > </snip>
    > Lance Spitzner got quite excited about this at CanSecWest, but then again I
    > have never seen Lance (The HoneyAmbassador) not excited ;o) Sadly his
    > presentation isn't up on the CanSecWest resources for download yet.
    >
    > My main concern about this technology is an increase in latency after the
    > traffic is switched, not so much of a problem where the honeypot is local
    > but potentially noticeable where a managed service honeypot is being used.
    >
    > hope this helps
    > take care
    > -andy
    >
    > Taliskers Network Security Tools
    > http://www.networkintrusion.co.uk
    > ----- Original Message -----
    > From: "Andrew Elmore" <andrew.elmore@cyber-south.com>
    > To: <security-basics@securityfocus.com>
    > Sent: Friday, May 16, 2003 3:38 PM
    > Subject: attack redirection
    >
    >
    > Hey guys,
    > I'm looking for some program to redirect an attack on my web server
    > to a honeypot. Maybe triggered by number of hits in a given time or by
    > certain requests. Does such a thing exist? Where can I get it? Or would I
    > have to write some kind of script?
    > Thanks for your help.
    >
    > Andy
    >
    >
    > ---------------------------------------------------------------------------
    > Thinking About Security Training? You Can't Afford Not To!
    >
    > Vigilar's industry leading curriculum includes: Security +, Check Point,
    > Hacking & Assessment, Cisco Security, Wireless Security & more! Register
    > Now!
    > --UP TO 30% off classes in select cities--
    > http://www.securityfocus.com/Vigilar-security-basics
    > ----------------------------------------------------------------------------
    >
    >
    > ---------------------------------------------------------------------------
    > Thinking About Security Training? You Can't Afford Not To!
    >
    > Vigilar's industry leading curriculum includes: Security +, Check Point,
    > Hacking & Assessment, Cisco Security, Wireless Security & more! Register Now!
    > --UP TO 30% off classes in select cities--
    > http://www.securityfocus.com/Vigilar-security-basics
    > ----------------------------------------------------------------------------

    ---------------------------------------------------------------------------
    Thinking About Security Training? You Can't Afford Not To!

    Vigilar's industry leading curriculum includes: Security +, Check Point,
    Hacking & Assessment, Cisco Security, Wireless Security & more! Register Now!
    --UP TO 30% off classes in select cities--
    http://www.securityfocus.com/Vigilar-security-basics
    ----------------------------------------------------------------------------

  • Next message: Allan Schon: "RE: Password Cracking"

    Relevant Pages

    • Re: attack redirection
      ... You can use SNORT+Guardian to redirect the traffic to your honeypot. ... You only need to add in the "guardian_block" script a rule to ... > Taliskers Network Security Tools ...
      (Security-Basics)
    • Re: honeypot in conjunction with pen test?
      ... this is a question from the point of view of the customer of ... > You were happy but I expect that the pen-testers were really ... >> position a honeypot in the facility, ... This list is provided by the SecurityFocus Security Intelligence Alert ...
      (Pen-Test)
    • Re: attack redirection
      ... The Bait and Switch Honeypot is a multifaceted attempt to take honeypots out ... Taliskers Network Security Tools ...
      (Security-Basics)
    • Re: newbie question about honeypot
      ... I believe you have the wrong objective for a HoneyPot. ... example, change the banner, change the ports and modify the IP ... remind your security auditors that it's nothing more than "security ... Securing Apache Web Server with thawte Digital Certificate ...
      (Security-Basics)
    • Re: Funlove virus attacking Print ques
      ... I recommend also the honeypot, with an alphanumerically superior NETBIOS name. ... By the time your alerting mechanism is triggered, you'll still have HOURS before the virus is able to traverse that one box if you've created enough shares and regsrv32 copies within them. ... Stop hassling with half-baked ENTERPRISE SECURITY. ... FREE White Paper shows you how to ensure TOTAL security for your Internet ...
      (NT-Bugtraq)
    • Quantcast