[c-nsp] Log analyzer/ACL advice
Jeff Kell
jeff-kell at utc.edu
Fri Jan 5 13:56:33 EST 2007
Drew Weaver wrote:
> I'd like to setup honeypots within my network which have no useful
> services what-so-ever running on them for the purpose of detecting and
> ultimately preventing any network access to various types of security
> bots (SSH scanners, brute force pw types). Has anyone ever found a
> package or a simple script for linux that will look in the /messages log
> (or any other log) and advise ACL/Null routes based on observed attacks?
Depending on your pain threshold for rolling your own <grin>, here's something we use...
Setup a "darknet" -- small subnet of unused/unallocated IPs that you want to monitor.
Setup a linux box on that subnet.
Setup the LaBrea tarpit (or similar). http://labrea.sourceforge.net
Configure the tarpit to monitor the whole darknet subnet (be sure you are on friendly terms with the switch/router attached to your darknet, it will be spoofing MACs).
To monitor the tarpit, you'll need apache on your tarpit box and LaBrea::Tarpit reporting package. You can download it from http://www.bizsystems.net/downloads/labrea or just install the package with perl CPAN.
Next, setup snort (http://www.snort.org) with the snortsam plugin (http://www.snortsam.net).
You don't need all the snort rules or fancy frills, just a couple to watch for 3-way handshakes, e.g.:
> alert tcp $EXTERNAL_NET any -> $HOME_NET any (flags:S+; flowbits: set,probestart; flowbits: noalert;)
>
> alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"Tarpit TCP Attacker"; flow: established; flowbits: isset,probestart; flowbits: unset,probestart; threshold: type both, track by_src, count 5, seconds 14100; sid: 31337; fwsam: src, 4 hours;)
Those rules with look for 5 3-way handshakes in 4 hours, and if triggered, tells snortsam to block the source for 4 hours.
Then add your snortsam plugin of choice to implement the blocks:
> # Checkpoint Firewall-1
> # Cisco PIX firewalls
> # Cisco Routers (using ACL's or Null-Routes)
> # Former Netscreen, now Juniper firewalls
> # (etc)
Jeff
More information about the cisco-nsp
mailing list