Ticket #3 (closed defect: invalid)

Opened 11 years ago

Last modified 11 years ago

Walleye - no traffic alerts, just one sawtooth in orange

Reported by: alfnel Owned by: [email protected]
Priority: critical Milestone:
Component: Honeywall Version: 1.3b1
Keywords: Cc:

Description

Hello to all,

We are working with our graduation work at the university and is about implementing honeynets for secure networks.

We have a problem with alerts in the honeywall (we don´t see any alert or anomalus traffic). I review all information about this issue in the Honeywall -- Mailing list, and all advices is migrate to the new version. But i´m ready done (i´m working with the last release 1.3) and nothing happend.

We have a honeynet with the following information:

1. Red Hat 9. 2. The honeynet is in a vmware, installed in the RH9. 3. one virtual machine, with windows XP (192.168.0.5), (Internet server, and installed for scanner pen test the nessus and xscan). 4. one virtual machine, with RH9 for mail (192.168.0.6) 5. one virtual machine, with honeynet with sebek (version roo.1.3) (192.168.0.3)

Connected to the hub, we have:

1. PC with IPTables (192.168.0.1) 2. PC with ubuntu for some test (script for DoS - dns) (192.168.0.x) 3. PC scanner with nessus and xscan (192.168.0.y)

We ´re running the defaults snort rules.


The scenario:

1. In the ubuntu pc we´re running the DoS DNS script, with target 192.168.1.3 2 In the scanner PC running both scanners: nessus and xscan. 3. In the XP pc (in the honey) running both scaner: nessu and xscan. 4. In the scanner pc (windows), around 5 or 7 extended pings to 192.168.1.3 (-t -l 65500).

But when open the walleye, no traffic in red, no alerts, just a traffic in orange (if running 10 minutes, just appear one sawtooth in orange...!

We reviewed the configuration several times, even reinstall, but nothing happens.

Please, can help us....this is very important for us due is a final work.

Thanks in advance

Nelson Rodriguez

O O

/|\ _._ \ O _._ /|\

(o\_)=="=# | \/ _> | (\_)="=#

|\ | [_] [_] | /| |/ | | / \| | \| /|\/|\\/|\/|\

Attachments

Schematic.jpg Download (39.6 KB) - added by alfnel 11 years ago.
This is the schematic used
honeywall1.png Download (8.6 KB) - added by alfnel 11 years ago.
honeywall-ts.txt Download (0.7 KB) - added by alfnel 11 years ago.
honeywall2.png Download (8.2 KB) - added by alfnel 11 years ago.
honeywall3.png Download (11.6 KB) - added by alfnel 11 years ago.

Change History

Changed 11 years ago by rmcmillen

Is alerts the only thing you are not seeing? Have you modified the snort rules in any way?

Is traffic crossing the bridge?

Rob

Changed 11 years ago by alfnel

No rules modified and in reference to the traffic, i guess.... we have a little sawtooth in orange of traffic, but nothing estrange or in red. Thanks in advance for your help. Best regards, Nelson Rodriguez.

Changed 11 years ago by rmcmillen

Ok... it is important to know because I've had issues in the past sniffing on an interface that was a guest on a linux vmware server. The bridge works by basically sniffing each interface. So if the proper privileges are not set on the device so that vmware can read, it is not going to be able to bridge traffic across. Can you show me the permissions on your /dev/vmnet* devices? Or can you ping outbound from one of your honeypots or ping inbound from a system outside of your honeynet?

Changed 11 years ago by alfnel

About the pings:

In the same honeynet network (192.168.0.X) we can ping outbound to the honeypots and we can ping inbound from outside of the honeynet. We have connected a windows pc in the network (directly to the hub that is connected to the linux vmware server).

Let me try with the permissions and i can send you the output.

Regards,

Changed 11 years ago by alfnel

This is the schematic used

Changed 11 years ago by alfnel

The Vmnet0 and Vmnet2 are bridged and the Vmnet1 a hostonly.

In reference to /dev/vmnet* appear the 0 to 8.

Regards,

Changed 11 years ago by alfnel

Changed 11 years ago by alfnel

Changed 11 years ago by alfnel

Changed 11 years ago by alfnel

Changed 11 years ago by alfnel

Here is the output.

Regrads,

Changed 11 years ago by alfnel

Thanks Rob, here is the output. rpm -qa | grep -i hflow

hflowd-1.043

rpm -qa | grep -i roo

rootfiles-8.1-1.1.1 roo-base-5-20.hw

As a said you we have in the walleye just a graphic in orange but never in red in the the test pen moment. Regards and thanks in advance.

Changed 11 years ago by alfnel

Hello Rob, sorry for my insistence...

Really i don´t know what else do for honeynet works fine.

Changed 11 years ago by rmcmillen

  • status changed from new to closed
  • resolution set to invalid

Cannot duplicate so taking it out till we have other reports.

Note: See TracTickets for help on using tickets.