Tuesday, August 12, 2008

My honeypot part of a Fast-Flux net?

OK, so with a little data analyzing help from users at the Remote Exploit forums it seems these snort alerts can either mean that:

1. One of the SQL slammer attempts have been successful and that the honeypot is included in a Fast-Flux network to help spread malware, hence the snort alerts regarding DNS spoofing. (If unfamiliar with fast-flux, check out the article on wikipedia and the references used there - that should provide you with more than enough information).

2. There is something wrong with my honeywall setup which causes snort to generate all the SQL alerts, see here for a thread on the Snort IDS forum for a thread regarding this matter.

Also, the DNS no authority messages can have a natural explanation as you can see from this excerpt from the Snort-users mailing list.

Either way, I'm considering moving on from a virtual to a physical honeynet due to a lot of issues with the time stamping in honeywall which is giving me somewhat of a headache when it comes to analyzing the what/when/where of the IDS alerts.

No comments: