[ale] SNARE?

Geoffrey esoteric at 3times25.net
Wed Jan 1 14:51:42 EST 2003




Jonathan Rickman wrote:
> On Tue, 31 Dec 2002, Robert L. Harris wrote:
> 
> 
>>
>>Anyone using this:
>>
>>http://www.intersectalliance.com/projects/Snare/
>>
>>I've got it running and it's pretty sweet but monitoring the network
>>connections is a bit obscure.  As an example I'm looking to find any
>>details on anyone connecting to my machine via ftp or ssh as a test.
> 
> 
> I do something similar with a fake listener, snort, and tcpwrappers. It's
> definately and eye opener sometimes. It's quite simple really. The inetd
> process calls the fake listener, which allows the connection to take
> place, snort logs it, then the fake listener takes any inputs it receives
> and logs them to a text file. Not only do I get to see the connection, but
> I can capture their inputs in an easily readable format rather than
> sorting through a hex dump. The fake listener is not really an interactive
> program, so it's only good at catching the automated stuff. the Deception
> Toolkit has some pretty good interactive listeners that can be pretty
> convincing. You could easily use them instead.

Seems like this would be a good thing to stick on an existing port that 
you're not using.  Like 80 on a mail server...

Care to share more??? :)

> 
> --
> Jonathan Rickman
> X Corps Security
> http://www.xcorps.net
> 
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://www.ale.org/mailman/listinfo/ale
> 
> 

-- 
Until later: Geoffrey		esoteric at 3times25.net

The latest, most widespread virus?  Microsoft end user agreement.
Think about it...

_______________________________________________
Ale mailing list
Ale at ale.org
http://www.ale.org/mailman/listinfo/ale






More information about the Ale mailing list