Agressive Honeypots
BrControl: Agressive honeypots

:: What is BrControl?
:: Forum
:: Downloads
----:: Brcontrol-0.01
----:: Description


About BrControl

The "GenII Honeynets" proposed by the Honeynet project, shows us what they call the "HoneyWall Gateway", a bridge to log the activity going to their honeypots, and with some filter capabilities in order to drop unwanted traffic originated from those machines for example.

For most cases, the ideal Gateway will be a device capable of diferenciate legitimate users, allowing them to access the production machines, from malicious ones, redirecting them to a Honeynet. Let's call it BrControl, the Security Controller.

Of course this must be achieved in a complete transparent way, so potential attackers don't notice when they are redirected.

We know how to implement a GenII Honeynet with snort-inline and iptables in bridge mode. What we want for BrControl can be done with this tools if we can set up some comunication between them.

Instead of dropping or rejecting the packet in userspace, it can be done with the firewall easily, we want the IDS to diferenciate the malicious traffic for us., setting up some kind of mark that we can use in a iptables rule to send the traffic to production or to the honeynet.

The linux kernel, has this kind of mark, but we need to patch it to allow setting it from userspace.

So we could now set a new kind of rules, a "mark" target in the snort configuration files will tell which traffic should be sent to the honeynet. It requires some modifications to the ip_queue library and header and of course to the snort-inline source.

At this point, the Brcontrol, upon receiving a packet, matches the standar QUEUE target in the input chain of the firewall, get matched against the snort rules with the brand new "mark" target. Those marked packets, can be the target of another iptables rule in the POSTROUTING chain, in order to drop, reject, log, tarpit, or whatever , all the logic can be defined with the firewall. giving us full control of the process.

We'll try to write a more complete document in the next few days, as well as a sample firewall script. You can download now kernel, iptables and snort_inline patches in

Of course there are a lot of thinks that can be done with this idea. It's now on a early stage of development but it works. Comments, feedback and more ideas are welcome.

Cesar Tascon Alvarez
Javier Espasa Arbeteta
Aritz Aldabe Iza

© 2004 Cesar Tascon, Javier Espasa y Aritz Aldabe
BrControl: Agressive honeypots