[c-nsp] Log analyzer/ACL advice
Laurent Geyer
lgeyer at 085zehn.com
Fri Jan 5 12:16:30 EST 2007
On 1/5/07, Drew Weaver <drew.weaver at thenap.com> wrote:
>
> I'd like to setup honeypots within my network which have no useful
> services what-so-ever running on them for the purpose of detecting and
> ultimately preventing any network access to various types of security
> bots (SSH scanners, brute force pw types).
What you are describing sort of defeats the purpose of a honeypot. On a
honeypot you generally want to mimic a system running services deployed on
your network and attempt to gain insight into attack vectors by observing
successful or attempted exploits.
A darknet requires less work and would be more suitable for what you're
attempting to accomplish.
Check out http://www.cymru.com/Darknet/
> Has anyone ever found a
> package or a simple script for linux that will look in the /messages log
> (or any other log) and advise ACL/Null routes based on observed attacks?
Going back to your statement about not running any services, how do you
expect to have any log entries ;)
I am personally not aware of anything like that, but you could very likely
role your own by a combination of swatch or SEC with custom scripts.
- Laurent
More information about the cisco-nsp
mailing list