search

shirkdog / Presentations

Repo for the talks I have given.
BSD 2-Clause "Simplified" License
2 stars 0 forks source link

Iocage scripts #1

Open ghost opened 3 years ago

ghost commented 3 years ago

Hello,

I found you recent BSDcan presentation very interesting since I wanted to accomplish the same thing a long time in BSD. I been using an older version of TPOT:

https://github.com/telekom-security/tpotce

It needs a lot of space, needs a lot of ram, components trend to crash, there is no proper alerting function in it. I'm sure you are familiar with this project it's using an ubuntu host and docker containers for the honeypots and restarts them on daily basis.

Although you had some examples in your presentation it's far from complete, I wonder if you planning to publish some shellscripts which build and configure the jails with different honeypots or at least a step by step guide for how to do them manually.

Thanks.

ghost commented 3 years ago

I just finished with your tutorial I have to say I'm not impressed. You basically gutted everything out of HoneyPy except a basic echo server for ssh, what's the point of even having this then, as you said it in the talk it's better then that you just open a million useless services in inetd.

My second issue with it is a bunch of broadcasts flows in on Zeek what I don't care about but since the interface is promisc blocking it on the firewall do nothing. Yeah another area where the BSDs are just lightyears behind Linux.

shirkdog commented 3 years ago

Thanks for reading, but this was not meant to be a tutorial, it was just a PoC I setup for a customer to start correlating threat data with potential attacks at the perimeter. I try to document everything I do in my talks as if it is a tutorial, so you can recreate the steps I took.The primary thing is that a FreeBSD jail makes this easy to do, but no where do I say this is "the solution". I highlight finding honeytrap when developing the talk, which offers nicer features, and leave this as an open issue to really fully flush out. What you posted about tpotce is also very interesting.

The BSDCan talk was to just bring some life to the use of BSD operating systems as a honeypot. If Zeek is logging too many broadcast flows, you can filter out this within Zeek (even on Linux, should not be a BSD problem). I will take a look at tpotce, and keep the issue open to address a very similar capability on BSD, maybe to flush out a more concrete tutorial or script as you are looking for.