Hi,
I have been involved in a student project about Virtual Honeynets.
One of the main aims of it is to design and implement laptop based detection system based on virtual honeynet (Honeywall roo CDROM). Its main role is to analyze LAN traffic and alert accordingly.
I have tried to investigate whether Virtual Honeynets/honeypots using sebek could be implemented in a modern network environment.
Perhaps Honeynet framework is not suitable for new threats?!
One of the problems I have come across are out-of-date snort rules. roo-1.4 is based on snort 2.6 but rules for are not available for this version. 2.8.6.1 is the lowest version available (Jan 2011).
I am stuck now with unsuccessful attempts to update rules on a system that has snort ver. 2
What I have done so far:
- Hwall was successfully updated using CentOS 5.5 repos,
- compiled and installed snort 2.8.6
- installed new set of rules 2.8.6.1 using oinkmaster
After the last step when I issue command
Quote:
Code:
/snort -T -c /etc/snort/snort.conf
/I get
/Segmentation fault
/
|
However when snort is started, it works and logs packets with no errors./
/
After updating Honeywall and restarting, I get hflow error/s
Code:
/starting hflow: premature failure
/
In /var/log/hflow/hflow.d I get:
/cannot read file header from snort .. aborting/
also it complains about not reading
Tried to restart/start/stop hflow several times and error appears every time.
command:/ service hflow start/stop/restart/
On the honeywall forum
http://www.mail-archive.com/honeywal.../msg01032.htmljeffrey and mutziman were discussing enabling patching snort 2.8.4 to work with hflow2.
Unfortunately, lowest version of snort rules update is 2.8.6.0.
Perhaps somebody may help me to point me into the right direction
I realize that Honeynet project has not been developed for a while.
Configuration:
host: Toshiba laptop 3gb ram, backtrack 4 rc2 nemesis kernel 2.6.34
vmware: workstation 7.1
honeynet:
VM1: roo-1.4, honeywall, 1gb ram, default config
yum repositories taken from standard CentOS 5.5 installation
snort 2.8.6: compiled from source
snort-rules updated via oinkmaster tcpdump 3.9.4
libpcap 0.9.4
Thanks
Konrad