[c-nsp] Log analyzer/ACL advice

Laurent Geyer lgeyer at 085zehn.com
Fri Jan 5 12:16:30 EST 2007


On 1/5/07, Drew Weaver <drew.weaver at thenap.com> wrote:
>
>     I'd like to setup honeypots within my network which have no useful
> services what-so-ever running on them for the purpose of detecting and
> ultimately preventing any network access to various types of security
> bots (SSH scanners, brute force pw types).


What you are describing sort of defeats the purpose of a honeypot. On a
honeypot you generally want to mimic a system running services deployed on
your network and attempt to gain insight into attack vectors by observing
successful or attempted exploits.

A darknet requires less work and would be more suitable for what you're
attempting to accomplish.

Check out http://www.cymru.com/Darknet/


> Has anyone ever found a
> package or a simple script for linux that will look in the /messages log
> (or any other log) and advise ACL/Null routes based on observed attacks?


Going back to your statement about not running any services, how do you
expect to have any log entries ;)

I am personally not aware of anything like that, but you could very likely
role your own by a combination of swatch or SEC with custom scripts.

- Laurent


More information about the cisco-nsp mailing list