HoneyBOT and CIS

Hlupic · January 6, 2011, 2:04pm

Hello.

I will put one physical machine on LAN. It will be Windows XP/7 with HoneyBOT,wireshark and XARP.

Do I have to protect LAN honyepot (honeybot) with firewall and antivirus?

Purpose is, to detect any malicious activity on LAN subnet.

Thank you.

Valentinchen · January 6, 2011, 2:24pm

Hey and warm welcome to Comodo forums!

I think it would be a good idea to have a firewall and an AV. If you are looking for IS then take CIS otherwise you can choose what AV you want together with CF( Many like CF but there are others as well). If you install… lets say… Avira or Avast together with CF please add those exe to detect Shellcode injections and this how you do it: CIS —> Defense+ —> Defense+ Settings —> Execution control Settings —> Detect shellcode injections (i.e. Buffer overflow protection) —> Exclusions —> Add —> Browse…

Security Tips and here is the UserGuide v1.0.

I hope this helps

Enjoy your stay here at Comodo.

Regards,
Valentin N

Hlupic · January 7, 2011, 8:26am

Thanks Valentin N.

I already use CF with defense+. It is the best solutions for personal computer security. I enjoy using CF.

I have tested honeybot with CF and when I run nmap probe to honeybot IP, there is ofcourse no logged activity.

I was thinking, that I should turn off Firewall and leave Defense+ in safe mode. With my experiments, this is the only options to detect TCP probes and catch trivial malware.

HoneyBot will be behind router, so I think, there is no options to get attacked except pivoting from anyother computer which is on Lan.

One more question. What is the main reason to add anti-virus exe on defense+ exclusions for shellcode injections?

Thanks.

Valentinchen · January 7, 2011, 12:16pm

I am happy to hear that CF is living up to your expectations ( :-TU for that) and I hope my previous post was to much bla bla bla. ;D

The easiest way to answer "What is the main reason to add anti-virus exe on defense+ exclusions for shellcode injections? is to prevent conflicts with another application that may hook into the operating system in ways that conflict with CIS.

Regards,
Valentin N

Citizen_K · January 8, 2011, 6:16pm

Nope. The answer is in App. is not working correctly, but does not seem to be s/boxed. What to do? [v5] under point 4:

The application may hook into the operating system in ways that conflict with CIS.

At Hlupic. Can you describe the structure of your LAN? How many machines are on it? Is your honeypot behind a second router?

Also can you tell me the function of the Honeybot application?

Valentinchen · January 8, 2011, 6:29pm

I have modified the post that you commented on EricJH. Thanks

Take care

Regards,
Valentin N