P. 1
Jan Gerrit Göbel- Advanced Honeynet Based Intrusion Detection

Jan Gerrit Göbel- Advanced Honeynet Based Intrusion Detection

|Views: 168|Likes:
Published by White909

More info:

Published by: White909 on Dec 01, 2011
Copyright:Attribution Non-commercial


Read on Scribd mobile: iPhone, iPad and Android.
download as PDF, TXT or read online from Scribd
See more
See less





The log-syslog module is used for logging to either a local or remote syslog server. A
syslog server is a central repository, where log messages from several devices and services
are accumulated. These messages are then distributed among the dedicated logfiles
[Par03]. Log messages do not necessarily have to originate from the same system the
server runs on, but can also be collected from several machines among the network, to
form a large centralized logging database. Large scale networks usually use a centralized
host for collecting all kinds of logfiles, the so-called syslog server. Having collected
all information in one central point, facilitates the analysis process in case an incident
has happened. To support this idea, the log-syslog module was written. The module
registers itself to the same EV_DIALOGUE_ASSIGN_AND_DONE event as the log-mail module.
The generated messages include the time of the incident, the IP address of the attacking


Chapter 4. Nepenthes

host and the name of the vulnerability module that was triggered. An example of a
Nepenthes syslog alert is shown in figure 4.3.

Nepenthes: Time: 8.7.2006 13:33:45 Socket TCP (accept)
192.168.xxx.xxx:53090 -> 192.168.xxx.xxx:445 AttackerIP: 192.168.xxx.xxx
Module: LSASSDialogue

Figure 4.3.: Nepenthes log-syslog example message

In order to use this mechanism, one needs to specify an Internet Protocol address of a
syslog host and a port where the User Datagram Protocol (UDP) packets will be send to.
UDP is a connectionless transport protocol. The fact that no connection establishment
is used makes it a fast and easy to use protocol. On the other hand, it offers no flow
control, error correction or resending of corrupt or lost packages. It is mainly used in
time sensitive applications, where it does not matter if a packet gets lost and does not
have to be retransmitted, like real-time multimedia applications [Tan03]. As long as no
critical information is transmitted UDP totally suffices. For our intrusion sensors are hit
more than once by a single offending host, plenty of alerts are generated, thus we can
safely ignore the case that packet loss might happen.

If no syslog server is specified, the standard settings, localhost and port 514, apply.
In combination with the logfile analysis program, Swatch (Section 3.4.2), which is based
on regular expressions, it is possible to execute a user defined script, upon receiving a
Nepenthes syslog message [Par00]. For this reason, it is possible to automatically block
or redirect a host detected by Nepenthes, when Swatch is used in combination with the
packet filtering tool IPTables.

You're Reading a Free Preview

/*********** DO NOT ALTER ANYTHING BELOW THIS LINE ! ************/ var s_code=s.t();if(s_code)document.write(s_code)//-->