suggestions for this honeypot

[browolf]

Originally posted here by SirDice
What's preventing the (infected/0wn3d) virtual machine from crossing over to your host system?

well the host machine is firewalled with the same security internally and externally. turned off "trusted network" options and microsoft networking is totally disabled., otherwise i wouldnt be able to forward those ports. well they're disabled anyway so kfsensor can emulate them.

i havent got virtual pc additions installed.

the host pc isnt running a proxy so there's no way of getting out to the internet..

have i missed anything?

actually what i have atm, isnt completely unless. Since the exploit part of attacks will work. but the other bits wont. So i seem to have an "exploit detector" atm. it would be it I had a way of detecting them

I would want to know how everything works....

that's why I'm asking. I like the virtual pc feature of being able to not save disk changes. I'd only run vpc for the time when i'm sitting in front of it.
Actually when i'm doing this i tend to have kfsensor turned off. if I did have it on I'd disable the ports i want to forward anyway.

[mjk]

You could use a bootable Linux distro such as Knoppix-STD. That specific one comes with a lot of security tools including stuff to do with honeypots (I've never really fooled with that stuff though). The great thing about it is there is no access to the hard drive, and if something goes wrong you can just reboot and everything's fine.

Just my two cents

mjk

[browolf]

that's true. i've got a honeywall bootable cd I could try now that I think about it.
I'm having trouble with NAT atm so until that works...

[SirDice]

Have a read through this: Malware Analysis for Administrators