[c-nsp] Log analyzer/ACL advice

Jeff Kell jeff-kell at utc.edu
Fri Jan 5 13:56:33 EST 2007 

Drew Weaver wrote:
>     I'd like to setup honeypots within my network which have no useful
> services what-so-ever running on them for the purpose of detecting and
> ultimately preventing any network access to various types of security
> bots (SSH scanners, brute force pw types). Has anyone ever found a
> package or a simple script for linux that will look in the /messages log
> (or any other log) and advise ACL/Null routes based on observed attacks?

Depending on your pain threshold for rolling your own <grin>, here's something we use...

Setup a "darknet" -- small subnet of unused/unallocated IPs that you want to monitor.

Setup a linux box on that subnet.

Setup the LaBrea tarpit (or similar).  http://labrea.sourceforge.net

Configure the tarpit to monitor the whole darknet subnet (be sure you are on friendly terms with the switch/router attached to your darknet, it will be spoofing MACs).

To monitor the tarpit, you'll need apache on your tarpit box and LaBrea::Tarpit reporting package.  You can download it from http://www.bizsystems.net/downloads/labrea or just install the package with perl CPAN.

Next, setup snort (http://www.snort.org) with the snortsam plugin (http://www.snortsam.net).

You don't need all the snort rules or fancy frills, just a couple to watch for 3-way handshakes, e.g.:

> alert tcp $EXTERNAL_NET any -> $HOME_NET any (flags:S+; flowbits: set,probestart; flowbits: noalert;)
> 
> alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"Tarpit TCP Attacker"; flow: established; flowbits: isset,probestart; flowbits: unset,probestart; threshold: type both, track by_src, count 5, seconds 14100; sid: 31337; fwsam: src, 4 hours;)

Those rules with look for 5 3-way handshakes in 4 hours, and if triggered, tells snortsam to block the source for 4 hours.

Then add your snortsam plugin of choice to implement the blocks:
> # Checkpoint Firewall-1
> # Cisco PIX firewalls
> # Cisco Routers (using ACL's or Null-Routes)
> # Former Netscreen, now Juniper firewalls 
> # (etc)

Jeff

More information about the cisco-nsp mailing list