{kippo users} Mercury LiveCD
AndrewWaite
sure many of you will already be aware from following the Nepenthes
mailing list, but this may be useful information to some.
John Moore has released the first version of Mercury LiveDVD, which is
a Ubuntu distribution containing Nepenthes, Dionaea, Kippo and several
analysis tools in a single live boot offering. I haven't had much
chance to take a look yet but the idea seems promising and should
hopefully reduce deployment and configuration times required for new
honeypot sensors.
New mirrors are popping up at an impressive rate so I won't try to
list them here, find mirrors and follow the conversation on the
Nepenthes mailing list (archives here:
http://sourceforge.net/mailarchive/forum.php?thread_name=AANLkTimFMdgYeO3Miu0R6BnLFobmOCmDmiaXkNeMTQmE%40mail.gmail.com&forum_name=nepenthes-devel).
--Andrew
Leon v/d Eijk
I did noticed the posting in the mailing list. Great initiative !
Although I'm not sure if it is such a good idea to use Dionaea _and_
Nepenthes on one box at the same time.
Any thoughts on this guys ?
Leon
On 10 sep, 13:53, AndrewWaite <a...@infosanity.co.uk> wrote:
> All,
>
> sure many of you will already be aware from following the Nepenthes
> mailing list, but this may be useful information to some.
>
> John Moore has released the first version of Mercury LiveDVD, which is
> a Ubuntu distribution containing Nepenthes, Dionaea, Kippo and several
> analysis tools in a single live boot offering. I haven't had much
> chance to take a look yet but the idea seems promising and should
> hopefully reduce deployment and configuration times required for new
> honeypot sensors.
>
> New mirrors are popping up at an impressive rate so I won't try to
> list them here, find mirrors and follow the conversation on the
>
> --Andrew
AndrewWaite
has more updated functionality rather than anything else. I don't see
it causing a problem providing the configuration doesn't have both
systems trying to bind to the same ip/port combinations.
But the ability to run either, or or both (not sure that's a
sentence...) quickly and with minimal setup time definitely appeals.
Not sure it will replace permanent installations, but good for one-off
testing.
--Andrew
On 10 Sep, 12:53, AndrewWaite <a...@infosanity.co.uk> wrote:
> All,
>
> sure many of you will already be aware from following the Nepenthes
> mailing list, but this may be useful information to some.
>
> John Moore has released the first version of Mercury LiveDVD, which is
> a Ubuntu distribution containing Nepenthes, Dionaea, Kippo and several
> analysis tools in a single live boot offering. I haven't had much
> chance to take a look yet but the idea seems promising and should
> hopefully reduce deployment and configuration times required for new
> honeypot sensors.
>
> New mirrors are popping up at an impressive rate so I won't try to
> list them here, find mirrors and follow the conversation on the
>
> --Andrew
mlwrcollect
for its SMB implementation. I still run a combination of nepenthes and
amun to cover for the rest of the service simulation. Why is this a bad
idea ?
Greetz.
Dave
Jacob Kuehndorf
Its a bad idea if you have to trying to access the same ip/port. Running it on the same computer is not a bad thing.
Actually, I do run both on the same machine, cause i use dionaea mainly
for its SMB implementation. I still run a combination of nepenthes and
amun to cover for the rest of the service simulation. Why is this a bad
idea ?
Greetz.
Dave
On 9/10/10 2:12 PM, AndrewWaite wrote:
> Personally I wouldn't run both at once, but primarily beca...
Leon v/d Eijk
or they wont get in the way of each other. Dionaea is the successor on
nepenthes, so why running both ?
Leon
> --
> You received this message because you are subscribed to the Google Groups "kippo users" group.
> To post to this group, send email to kippo...@googlegroups.com.
> To unsubscribe from this group, send email to kippousers+...@googlegroups.com.
> For more options, visit this group at http://groups.google.com/group/kippousers?hl=en.
>
>
mlwrcollect
see your point and actually would love doing the same, using all cool
features from Dionaea. And we probably will in the near future, however,
currently we heavily rely on SurfIDS as framework and NFQUEUE is not
enabled there. As far as I know, but please corrent me when im wrong,
Dionaea only offers SMB when not using the queuing features (freeze the
syn and open a port) ? This has been the main reason for me to combine
honeypots so to have a wide spread of simulated vulnerabilities...
Dave
Markus
On Thu, Sep 16, 2010 at 5:41 PM, mlwrcollect <mlwrc...@gmail.com> wrote:
> Ah, right. I thought i was doing something really badly wrong here :) I
> see your point and actually would love doing the same, using all cool
> features from Dionaea. And we probably will in the near future, however,
> currently we heavily rely on SurfIDS as framework and NFQUEUE is not
> enabled there. As far as I know, but please corrent me when im wrong,
> Dionaea only offers SMB when not using the queuing features (freeze the
> syn and open a port) ? This has been the main reason for me to combine
> honeypots so to have a wide spread of simulated vulnerabilities...
dionaea serves
smb - tcp/445
dcerpc - tcp/135
mssql - tcp/1433
http - tcp/80 - more or less useless
https - tcp/443 - as useless as http
ftp - tcp/21 - not as useless as http, you can even upload/download files
tftp - udp/69 - actually not useless, but does not get attacks
sip - udp/5060 - does not play nice with sipvicious yet
If you got numbers which other services you see getting hit, getting
served by amun/nepenthes, please let me know.
And last but not least, there is
any - tcp/* via nfq and mirroring back the attack to the attacker,
running this code is an ethical mess, but sometimes helps in
identifying potential services for the honeypot (we got mssql that
way).
MfG
Markus
mlwrcollect
On 9/16/10 9:22 PM, Markus wrote:
> sip - udp/5060 - does not play nice with sipvicious yet
>
>
Nice!, Been playing with artemisa lately, which is nice too, but having
it at some level with Dionaea sounds great!
Greetz,
Dave
Markus
artemisa is something different, it is a voip client, which you
connect to your (asterisk) sip service and wait for incoming calls,
the sip dionaea provides is meant to detect sip scanning (and more),
which is addressed on sip services like asterisk.
Artemisa uses PJSIP, which is not an option for dionaea due to the
lack of control over sockets and the lack of control for the threads
used in the library.
Given the complexity in sip, it is really unlikely dionaea will get a
sip client stack.
Therefore, if you are looking for spit, Artemisa is your choice.
MfG
Markus