[ale] SNARE?
Geoffrey
esoteric at 3times25.net
Wed Jan 1 14:51:42 EST 2003
Jonathan Rickman wrote:
> On Tue, 31 Dec 2002, Robert L. Harris wrote:
>
>
>>
>>Anyone using this:
>>
>>http://www.intersectalliance.com/projects/Snare/
>>
>>I've got it running and it's pretty sweet but monitoring the network
>>connections is a bit obscure. As an example I'm looking to find any
>>details on anyone connecting to my machine via ftp or ssh as a test.
>
>
> I do something similar with a fake listener, snort, and tcpwrappers. It's
> definately and eye opener sometimes. It's quite simple really. The inetd
> process calls the fake listener, which allows the connection to take
> place, snort logs it, then the fake listener takes any inputs it receives
> and logs them to a text file. Not only do I get to see the connection, but
> I can capture their inputs in an easily readable format rather than
> sorting through a hex dump. The fake listener is not really an interactive
> program, so it's only good at catching the automated stuff. the Deception
> Toolkit has some pretty good interactive listeners that can be pretty
> convincing. You could easily use them instead.
Seems like this would be a good thing to stick on an existing port that
you're not using. Like 80 on a mail server...
Care to share more??? :)
>
> --
> Jonathan Rickman
> X Corps Security
> http://www.xcorps.net
>
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://www.ale.org/mailman/listinfo/ale
>
>
--
Until later: Geoffrey esoteric at 3times25.net
The latest, most widespread virus? Microsoft end user agreement.
Think about it...
_______________________________________________
Ale mailing list
Ale at ale.org
http://www.ale.org/mailman/listinfo/ale
More information about the Ale
mailing list