Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Tech Tuesday Recap / Recordings: Part 2 (Installing the Honeypot) release. SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms: https://isctv.sans.edu

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Tech Tuesday Recap / Recordings: Part 2 (Installing the Honeypot) release.

As mentioned during our "Tech Tuesday" session, the session itself was not recorded. Instead, I will be releasing three "stand alone" videos covering the major parts of the workshop.

The videos will be broken up into three parts:

- Introduction. What is DShield and the Internet Storm Center (to be released later today).

- Installing the honeypot. See blow for this video

- Using the DShield / Internet Storm Center Data (to be released tomorrow)

All videos will be available on our YouTube channel

The instructions from the hands-on exercises are available at https://isc.sans.edu/techtuesday .

 

---
Johannes B. Ullrich, Ph.D. , Dean of Research, SANS Technology Institute
Twitter|

I will be teaching next: Defending Web Applications Security Essentials - SANS Cloud Security Europe 2020

Johannes

3881 Posts
ISC Handler
Jun 25th 2020
Hi Johannes,
So I have the honeypot all setup and running from my LAN interface. I do have a Ubiquity USG, so I setup the LAN2 port on it and the honeypot is pulling an IP from the DHCP pool I configured. However, the status script is showing that it isn't being exposed to the Internet, and I can't ssh into it anymore. I created the firewall rule for all of this, but obviously I did something wrong. Since you specifically mention using a USG in the video, I assume that you have it working? If so, would you please share the firewall rules that you used so I can determine where I went wrong?

Sincerely,
Jon
Jon.Irish

4 Posts
I don't have a USG in front of me right now. But if I remember right, you configure two networks (e.g. 192.168.1.0/24 for LAN1 and 192.168.2.0/24 for LAN2). Next, you forward inbound traffic to the honeypot's IP via the Unifi admin interface's firewall setup. I found that interface to be a bit buggy at times. Best to log in to the USG via ssh and verify the firewall rules.

If you configured the honeypot in a different network: you need to run the install script again to adjust the honeypot firewall rules for the new network configuration.
Johannes

3881 Posts
ISC Handler
Thank you for putting on this presentation. I had tried unsuccessfully to set up the honeypot a few times in the past but because of your class I was able to get it working. I'm proud to now be able to contribute to your valuable cause.
mcox00941

1 Posts

Sign Up for Free or Log In to start participating in the conversation!