[unisog] DDoS IRC bots

Bill McCarty bmccarty at apu.edu
Thu Mar 6 22:11:15 GMT 2003

--On Thursday, March 06, 2003 7:57 AM -0800 Peter Van Epp <vanepp at sfu.ca>

> 	I would have thought that a machine running tcpdump with a snap length
> of 1510 (assuming Ethernet as input) to capture all packets in and out of
> the honeypot machine's ethernet interface (without an IP address on the
> interface doing the sniffing to prevent it being compromised!) would be
> the first element  of your honeypot simply for liability reasons. 

Yes, as you suggest, the honeynet has redundant monitoring and logging of
all traffic, plus multiple firewalls that can control inbound and outbound
traffic. But, I'm not (yet) a Windows expert and so I haven't been able to
thoroughly analyze the CIFS traffic on TCP 445. Aspects of the CIFS
protocol are apparently proprietary to Microsoft, though some partial and
possibly out of date descriptions seem to be publicly available.
Consequently, I can determine the presence of TCP 445 traffic; but
accurately and completely determining its contents and effect is another
matter. So far <grin>.

If anyone knows of an open source CIFS analyzer, I'd very much like to hear
of it. Otherwise, I'm stuck having to cobble one together in my limited
spare time.

BTW, a known defect in Snort 1.9.0 can lead to remote compromise of even a
system configured for passive sniffing. This vulnerability was the subject
of DHS/NIPC Advisory 03-00. I speculate that tcpdump may contain
undisclosed  or unknown vulnerabilities that are similarly exploitable. So,
reliably monitoring a honeynet is not at all straightforward.


Bill McCarty, Ph.D.
Associate Professor of Web & Information Technology
School of Business and Management 
Azusa Pacific University

More information about the unisog mailing list