My methodology

Or, how I do whatever it is I'm doing...

From: John Sage <>
To: _ <>
Subject: Re: _ additions
User-Agent: Mutt/1.2.5i

Addendum to:

On Wed, Mar 20, 2002 at 08:17:44PM -0800, John Sage wrote:
> Hello world; John Sage here...

So what am I doing, now?

If there are honeynets, honeypots, and tarpits, you might say that
I've laid out a small swatch of flypaper.

I'm on a dialup into AT&T's * Seattle, WA pop,
with a dynamic IP in AT&T's 12.82.x.x class A.

Connectivity +- 20 hours daily.

I have a homebrew Linux 2.2.14-5.0 kernel-based IP masquerading
firewall, currently ipchains 1.3.9, with custom rulesets focusing on
protocols 1:icmp, 2:igmp, 6:tcp, 17:udp, 47:GRE-pptp, 50:SIPP-ESP,

I do see some of the less-common protocols from time-to-time; see, for

Within tcp and udp I have approximately 50 input chain rules focusing
on interesting ports/services; since the firewall itself only directly
accepts udp:123 for ntp, and udp:102x for the caching-only nameserver,
all other ports outside of the IP masquerading range are considered

Beyond watching specific ports, there rules for port ranges, and
finally a blanket DENY on the input chain such that everything that
is not specifically ACCEPT'ed is stopped and logged to syslog.

icmp rules cover the entire range of type:code, and again, everything
is either specifically ACCEPT'ed, or DENY'ed and logged to syslog.

Messages to syslog are handle by Psionic's LogSentry; I'm also running 
Psionic's PortSentry, but it hasn't gone off in several years.. :-)

Running in parallel with ipchains is snort, currently 1.8.2 build 86

snort is logging everything going in and out, in binary mode,
against custom rule sets that examine specific ports/services,
alerting on those of interest. Alerts are handled by syslog and

I run the binary mode packet logs against the more-standard snort
rules as time allows, usually on a daily basis if I can, to see what
has been going on in more detail.

And running in parallel with ipchains and snort is p0f for passive OS
identification; see:

p0f also logs via syslog/LogSentry.

So, for a given event, I get something like this:

Mar 22 00:34:20 greatwall snort: [1:0:0] TCP to 27374 SubSeven {TCP} ->
Mar 22 00:34:29 greatwall last message repeated 2 times

Mar 22 00:34:20 greatwall kernel: Packet log: input DENY ppp0 PROTO=6
 L=48 S=0x00 I=11764 F=0x4000 T=111 SYN (#64)
Mar 22 00:34:23 greatwall kernel: Packet log: input DENY ppp0 PROTO=6
 L=48 S=0x00 I=11816 F=0x4000 T=111 SYN (#64)
Mar 22 00:34:29 greatwall kernel: Packet log: input DENY ppp0 PROTO=6
 L=48 S=0x00 I=11937 F=0x4000 T=111 SYN (#64)

Fri Mar 22 00:34:20 2002 [18 hops]: Windows 2000 Pro (2128) -> (timestamp: 494600 @1016786060)
Fri Mar 22 00:34:23 2002 [18 hops]: Windows 2000 Pro (2128) -> (timestamp: 494600 @1016786063)
Fri Mar 22 00:34:29 2002 [18 hops]: Windows 2000 Pro (2128) -> (timestamp: 494600 @1016786069)

Bulk firewall logs, and specific incidents of interest are put up at:

as time allows...

When something of interest comes up, I look at the full snort packet
capture in more detail, and do notifications to those responsible
parties that might be interested, using BW Whois, see:

And so it goes.

- John
The weirdest thing about Window$ is that it's so opaque
Last modified: Sat Mar 23 10:45:25 2002