Re: [ANNOUNCE] protocol watcher

From: Andrew Simmons (andrews@mis-cds.com)
Date: Tue May 27 2003 - 05:04:13 PDT

Next message: Mark Ng: "RE: Scans from proxyprotector.com"

Previous message: Brad Webb: "RE: Possible Intrusion Attempt?"
In reply to: Jerry Shenk: "RE: [ANNOUNCE] protocol watcher"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Jerry Shenk wrote:

> 
> Is it possible to get LaBrea to use unused ports on a single IP address.  I
> think it just does entire unused IP addresses.
> 

This reminds me of an interesting article on setting up a cheap and 
cheerful honeypot using a couple of simple shell scripts and netcat which 
may or may not be of use to the original poster...?

http://www.securityhorizon.com/whitepapers/technical/honeypot.html

In a nutshell, the scripts start netcat processes listening on various 
significant ports. An elegant solution showing the power of netcat...
I'm sure I saw a more detailed article along the same lines on another 
site, but of course I can't locate the URL now.

Netcat will only log TCP or UDP connections. For ICMP and other more 
unusual IP protocols you'll need a full-blown firewall.

cheers,

\a

> -----Original Message-----
> From: Anders Reed Mohn [mailto:anders_rmat_private]
> Sent: Friday, May 23, 2003 5:06 AM
> To: incidentsat_private; Justin Pryzby
> Subject: Re: [ANNOUNCE] protocol watcher
> 
> 
> 
> ----- Original Message -----
> From: "Justin Pryzby" <justinpryzbyat_private>
> To: <incidentsat_private>
> Sent: Wednesday, May 21, 2003 11:00 PM
> Subject: [ANNOUNCE] protocol watcher
> 
> 
> 
>>I emailed the list previously asking if anyone knew of a way to
>>automatically accept and log all connections to a computer.  My thanks
>>to all that replied; unfortunately, I was unable to find exactly what I
>>wanted.  Since then, it occurred to me that this piece of software would
>>not be hard to write, so, three attempts later, it is written.
> 
> 
> Would this be anything similar to Tom Listons excellent LaBrea?
> http://labrea.sourceforge.net/labrea-info.html
> 
> Cheers,
> Anders :)
> 

The information contained in this message or any of its attachments may be privileged and confidential and intended for the exclusive use of the addressee. If you are not the addressee any disclosure, reproduction, distribution or other dissemination or use of this communications is strictly prohibited.  The views expressed in this e-mail are those of the individual and not necessarily of MIS Corporate Defence Solutions Ltd.  Any prices quoted are only valid if followed up by a formal written quote.  If you have received this transmission in error, please contact our Security Manager on 44 (0) 1622 723410.

----------------------------------------------------------------------------
----------------------------------------------------------------------------

Next message: Mark Ng: "RE: Scans from proxyprotector.com"
Previous message: Brad Webb: "RE: Possible Intrusion Attempt?"
In reply to: Jerry Shenk: "RE: [ANNOUNCE] protocol watcher"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue May 27 2003 - 08:54:49 PDT