[Dshield] Windows Box Need To Filter Outgoing Port 445

David Taylor ltr at isc.upenn.edu
Thu Aug 11 11:15:49 GMT 2005


I run several honeypots on vmware.  Not sure if you have the budget for it
but vmware workstation is about $200.  You install the honeypot on a vmware
virtual machine and then you can setup a transparent linux bridge firewall
on another virtual machine and force all traffic to go through that.  At
that point you can control traffic from the host, do rate limiting, etc with
IPTABLES and/or snort_inline.

And after you have your compromised machine and have analyzed it you can
revert to a nice clean un-compromised copy with a single click of a button.


==================================================
David Taylor //Sr. Information Security Specialist
University of Pennsylvania Information Security 
Philadelphia PA USA
LTR at ISC.UPENN.EDU               (215) 898-1236
http://www.upenn.edu/computing/security/
================================================== 

SANS - The Twenty Most Critical Internet Security Vulnerabilities 
http://www.sans.org/top20/

SANS - Internet Storm Center
http://isc.sans.org


-----Original Message-----
From: list-bounces at lists.dshield.org [mailto:list-bounces at lists.dshield.org]
On Behalf Of Nemo Omen
Sent: Thursday, August 11, 2005 2:17 AM
To: list at lists.dshield.org
Subject: [Dshield] Windows Box Need To Filter Outgoing Port 445


Its been a good day for learning new things. I've setup a very small XP 
honeypot and had it compromised after 30 minutes. I've taken it down at the 
moment, but I'd like to put it back online with outgoing port 445 filtered, 
as the honeypot is now scanning on port 445. I am using a dialup connection.

What is the best Win XP program to filter only outgoing port 445?

Cheers.   Nem

_________________________________________________________________
Sell your car for $9 on carpoint.com.au   
http://www.carpoint.com.au/sellyourcar


_______________________________________________
send all posts to list at lists.dshield.org
To change your subscription options (or unsubscribe), see:
http://www.dshield.org/mailman/listinfo/list




More information about the list mailing list