Security Onion in Conjunction with a Honeypot
Jason
Onion in conjunction with a honeypot (such as Nepenthes, Dionaea, or
Honeyd).
The idea would be, to run a honeypot in one virtual machine (perhaps
sitting on an IP address assigned as the 'DMZ'), and then run Security
Onion in another virtual machine in a way that all traffic going to
the honeypot would be mirrored or copied to Security Onion for
analysis.
The idea is that I would want to see all the types of attacks against
my public IP address.
Joseph Hargis
First of all, this is my first post to this list. I'm pretty excited and
looking forward to (hopefully) being able to contribute. Second I have
to give a HUGE Thanks to Doug Burks for his development of Security
Onion. As a current Cyber Security student with the University of
Maryland I can not tell you what an incredible learning tool this OS has
been.
As for running a honeypot with Security Onion - I am using Security
Onion installed on one dedicated machine and Nepenthes installed on a
separate dedicated machine (not VMs) to monitor a SOHO LAN. The Security
Onion machine is connected to a TAP which sits in-between the default
gateway and a hardware firewall - in the DMZ. The Nepenthes machine is
connected to the access switch inside the private LAN. The idea is that
any malware which makes its way into the network would likely be picked
up by Snort and reported to Sguil; then captured by the Nepenthes
honeypot if/when the malware attempts to spread. I believe this
arrangement will give me a good heads up about what is happening inside
the network - but it won't tell me anything about attacks against my
public IP. For that, perhaps the list might be able to recommend a
method for setting up a Security Onion sensor as a proxy server for the
network? With the Nepenthes (or another) honeypot service running?
I'm still learning - so I apologize if this isn't much help. But because
I am still learning I wanted to throw in my two cents on this and see
what others recommend.
-Joe.