[c-nsp] Log analyzer/ACL advice
bill fumerola
billf at mu.org
Fri Jan 5 12:34:53 EST 2007
[ reply-to set, this thread isn't really cisco-nsp related ]
On Fri, Jan 05, 2007 at 09:09:43AM -0800, John van Oppen wrote:
> Not really cisco related, but this is called a "darknet." Team Cymru
> has a nice write up on it at http://www.cymru.com/Darknet/
great reference site for setting a honeypot/darknet up. it's a little
dated, so if you're going to use FreeBSD 6 or 7 with this setup i would
suggest using pf(4) instead of ipf(4).
- you can use its built-in OS fingerprinting to provide more granular
results and reduce false positives
- once you feel comfortable that you're not getting false positives you
can use file-based tables to block the bad hosts from your real networks
- using its scrub features you can catch bad hosts that try and get cute
with ip fragments and tcp mss tricks
- you can use the pflog virtual interface for libpcap-based applications
- the syntax is very similar and porting the ruleset would be trivial
i'm sure the Cymru folks would appreciate a mail with the pf-based ruleset
if anyone does this.
-- bill
More information about the cisco-nsp
mailing list