From: Tracy R Reed <treed@ultraviolet.org>
To: Bill Laut <wlsel@verizon.net>
Cc: SELinux@tycho.nsa.gov
Subject: Re: SELinux, KDE, and honeypots
Date: Wed, 9 Jul 2003 15:41:40 -0700 [thread overview]
Message-ID: <20030709154140.B28893@ultraviolet.org> (raw)
In-Reply-To: <200307082303.22083.wlsel@verizon.net>; from wlsel@verizon.net on Tue, Jul 08, 2003 at 11:03:22PM -0400
[-- Attachment #1: Type: text/plain, Size: 2141 bytes --]
On Tue, Jul 08, 2003 at 11:03:22PM -0400, Bill Laut spake thusly:
> needs to be modified is kdm. Is this a correct assumption, or should I
> expect it to be more involved than that?
rjc has already offered a good answer to this. kdm isn't easily patched,
use something else or startx.
> The idea I had was to create a pseudo-device driver that leverages NetFilter
> to output all traffic from all TCP streams to a user-mode daemon that writes
> the packets for each stream into their own separate disk files (and governing
I think this is a pretty slick idea. Although I doubt you have to make it
as fancy as a device driver. I would log everything to an external host
and let that external host also do the sniffing. It could save everything
for a certain amount of time before deleting it (I might go for a week
since this box shouldn't get much traffic and gentle probes can be made
over a long period of time before they pick your box as a target or
discover a vulnerability that will allow them to cause an access
violation) and if there was an access violation it could permanently save
all traffic up to that point and any future traffic of any ip that had
communicated with the box within a minute before and after the violation
occurred. Pretty much all of the vulnerabilities I am aware of cause
instantaneous results but if there are some that might cause a time delay
between the network traffic and the access violation the window can be
widened to an hour or a day or whatever. It just means we'll have more
data to go through but this box should not be receiving much traffic
anyhow.
Oh, and of course you would want to run the box in permissive mode for all
of this so that their exploit can actually work and you can learn
something.
> Does this idea sound reasonable? Has someone already done it using SELinux?
> If not, how would you improve it?
I am not aware of anyone having done it either. Kinda wish I had thought
of it actually. :) My suggestions for improvement are above. Sounds like a
very interesting project.
--
Tracy Reed
http://ultraviolet.org
[-- Attachment #2: Type: application/pgp-signature, Size: 240 bytes --]
next prev parent reply other threads:[~2003-07-09 22:41 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2003-07-09 3:03 SELinux, KDE, and honeypots Bill Laut
2003-07-09 8:20 ` Tom
2003-07-09 9:48 ` Russell Coker
2003-07-09 9:26 ` Russell Coker
2003-07-09 18:08 ` Bill Laut
2003-07-10 2:20 ` Russell Coker
2003-07-10 8:09 ` Bill Laut
2003-07-09 22:41 ` Tracy R Reed [this message]
2003-07-10 7:25 ` Bill Laut
-- strict thread matches above, loose matches on Subject: below --
2003-07-09 14:30 Joshua Brindle
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20030709154140.B28893@ultraviolet.org \
--to=treed@ultraviolet.org \
--cc=SELinux@tycho.nsa.gov \
--cc=wlsel@verizon.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.