.

Honeypot and IDS

<<

Determ

Newbie
Newbie

Posts: 23

Joined: Tue Jul 13, 2010 1:20 am

Post Thu Jul 15, 2010 5:59 am

Honeypot and IDS

Hello.

I want to set up two devices. First will be honeypot. I think about setting up HoneyBot on WinXP box. First I thought to made Honeyd, but I don't find it useful to much. Does anybody heard for HOACD and has experience with it?

I also want to set up one Network IDS. I think that Snort is to hard to implement for me, so I think on Bro-IDS. Did anyone set it up already?
<<

Ketchup

User avatar

Hero Member
Hero Member

Posts: 1021

Joined: Fri Jul 04, 2008 7:44 pm

Location: Philadelphia, PA

Post Fri Jul 16, 2010 5:51 pm

Re: Honeypot and IDS

I don't have experience with either of the honeypot packages.

I have used both Snort and Bro-IDS.  If you are going to use Bro-IDS, use BSD as the OS.  The documentation for Bro is quite bad for anything other than BSD.  I had quite a few issues getting it up and running.  I couldn't get any sort database logging going at all.  It performed reasonably well, but I found it detected much less than Snort.  It was also inconsistent.  I put it through quite a few tests.  In general, i wouldn't recommend this product from personal experience.

Snort, is much easier to configure.  I had it running on Redhat and Ubuntu boxes without any issues.  Most distributions even include it as package.  Database integration was also easy to configure and well documented.  The most difficult part is learning the exception, processor, and rules syntax.  If you get stuck, pick up the "Snort IDS and IPS Toolkit" book.  Also, make sure that you install a front-end for Snort, otherwise you will end up managing it through config files only.  Snort, has much better documentation and much more support in the community.  I would go with Snort.

Finally, you can look into the OSSIM package, which includes Snort, Arpwatch, Nessus, and a bunch of other tools.  It's a good security management console.

http://www.alienvault.com/community.php?section=Home
~~~~~~~~~~~~~~
Ketchup
<<

rattis

User avatar

Hero Member
Hero Member

Posts: 1172

Joined: Mon Jul 27, 2009 1:25 pm

Post Fri Jul 16, 2010 8:05 pm

Re: Honeypot and IDS

I've just spent the last few days building a box to monitor the network. Running syslog, bandwidthd, ntop, nagios, arpwatch, and wireshark. I used 1 book to help me get things set up. (Still have to finish setting up Nagios).

See if you're local library has Network Security Hacks. It talks about all the things you've wanted to do. The second edition chapter 11 goes through a lot for what you'll need to get Snort running, and honeyd.

If I get time in the near future, I'm going back to deal with snort, and get that running on the box too.
OSWP, Sec+
<<

Determ

Newbie
Newbie

Posts: 23

Joined: Tue Jul 13, 2010 1:20 am

Post Sun Jul 18, 2010 12:32 pm

Re: Honeypot and IDS

Thanks for response. Yesterday I set up Ossec HIDS, but I'm not sure if it is useful. Modern internet security programs have some kind of "hids" already built in. And I think that HIDS is only useful for client host.
I also played with HoneyBOT, and it is cool, but to easy in some way. Do you know any european producer of modern honeypots and honeypot's like IDS software?

I checked OSSIM. It looks great. If I understood correctly, is all in one platform. But tell me, does make some program settings easier? Or will I have to spend few days configuring different programs which comes with OSSIM?
<<

Ketchup

User avatar

Hero Member
Hero Member

Posts: 1021

Joined: Fri Jul 04, 2008 7:44 pm

Location: Philadelphia, PA

Post Sun Jul 18, 2010 3:11 pm

Re: Honeypot and IDS

OSSIM has a nice web-based management console.  It will let you management everything from a single point.  You will still need to tune Snort.  I have yet to install any IDS and have it be useful out of the box.  In most cases, you will just turn on and turn off rules packages that make sense for your environment.  OSSIM should make this easier for you.
~~~~~~~~~~~~~~
Ketchup
<<

mambru

Jr. Member
Jr. Member

Posts: 98

Joined: Wed Jun 03, 2009 3:11 pm

Post Mon Jul 19, 2010 10:39 am

Re: Honeypot and IDS

For an IDS, take a look at Suricata http://www.openinfosecfoundation.org/
<<

Determ

Newbie
Newbie

Posts: 23

Joined: Tue Jul 13, 2010 1:20 am

Post Thu Aug 26, 2010 3:02 am

Re: Honeypot and IDS

I have heard lot about Suricata...Maybe they should set up web forum for users and those who want to give it a try. Also some tutorials would be great.

I plan to start with OSSIM in next two months. I will need to buy one used machine for that purpose. Otherwise I always read documentation first and look for some good tutorial or reviews.

One more question: Did anyone work on securing SCADA? What I mean is a small scada, which runs in small facilities. It is possible, that I will work on one project about protecting SCADA environtmen. For now I was thinking about implementing Host IDS and remote logs reading.
<<

sil

User avatar

Hero Member
Hero Member

Posts: 551

Joined: Thu Mar 20, 2008 8:01 am

Location: ::1

Post Thu Aug 26, 2010 7:43 am

Re: Honeypot and IDS

Determ wrote:One more question: Did anyone work on securing SCADA? What I mean is a small scada, which runs in small facilities. It is possible, that I will work on one project about protecting SCADA environtmen. For now I was thinking about implementing Host IDS and remote logs reading.


Oh the SCADA PITA environment! I have a client who's one of the many contractors @ a gas plant which had a horrible explosion earlier this year. So I guess to an extent, the answer is yes, however, our testing did NOT include any HMI based controls, etc. For particular questions on that I'd post them to the SCADA mailing list (http://news.infracritical.com/mailman/listinfo/scadasec) With that said... Define SCADA. ;) Pentesting against say the corporate network in a SCADA based environment shouldn't interfere with mission critical controls (theoretically) as the controls infrastructure is usually segregated (theoretically).
<<

mambru

Jr. Member
Jr. Member

Posts: 98

Joined: Wed Jun 03, 2009 3:11 pm

Post Thu Aug 26, 2010 9:42 am

Re: Honeypot and IDS

I have heard lot about Suricata...Maybe they should set up web forum for users and those who want to give it a try. Also some tutorials would be great.


We are going through the process of creating the documentation, though if you know how to set up Snort, you won't have problems setting up Suricata. If you need further assistance/have questions, there's a mailing list, developers will help you.
<<

Determ

Newbie
Newbie

Posts: 23

Joined: Tue Jul 13, 2010 1:20 am

Post Fri Aug 27, 2010 5:57 am

Re: Honeypot and IDS

I think about protecting on Operator Work station and HMI Web/DB server level. I believe (but i don't know yet) that Operator Work station isn't segregated from corporate network at small local plants in my area.

Return to Network Pen Testing

Who is online

Users browsing this forum: No registered users and 0 guests

.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software