[ale] SNARE?

Jonathan Rickman jonathan at xcorps.net
Tue Dec 31 15:48:05 EST 2002


On Tue, 31 Dec 2002, Robert L. Harris wrote:

>
>
> Anyone using this:
>
> http://www.intersectalliance.com/projects/Snare/
>
> I've got it running and it's pretty sweet but monitoring the network
> connections is a bit obscure.  As an example I'm looking to find any
> details on anyone connecting to my machine via ftp or ssh as a test.

I do something similar with a fake listener, snort, and tcpwrappers. It's
definately and eye opener sometimes. It's quite simple really. The inetd
process calls the fake listener, which allows the connection to take
place, snort logs it, then the fake listener takes any inputs it receives
and logs them to a text file. Not only do I get to see the connection, but
I can capture their inputs in an easily readable format rather than
sorting through a hex dump. The fake listener is not really an interactive
program, so it's only good at catching the automated stuff. the Deception
Toolkit has some pretty good interactive listeners that can be pretty
convincing. You could easily use them instead.

--
Jonathan Rickman
X Corps Security
http://www.xcorps.net

_______________________________________________
Ale mailing list
Ale at ale.org
http://www.ale.org/mailman/listinfo/ale






More information about the Ale mailing list