Is there a universal TCP/IP responding server

This may be a little larger than SNB, but I am looking for a tool that responds to TCP/IP requests on a large number of common ports. Does something like this exist?

I hope to use it so that I can direct traffic identified as suspicious to that server and capture as much of the request info as possible.

sounds like you want to build a honeypot - check out a Raspberry PI board, and set up raspian - that'll give you a full fletched debian box to expose to the outside world - park it in the DMZ...

Something like a honeypot. I don't really want to expose it, I just want any requests that my firewall considers malware to go to it.
My firewall is set up with a sinkhole now so all requests that it thinks are malware go to an IP address that gets denied. The problem is that my firewall doesn't log where the request is going in this case, it just logs the sinkhole IP. I think that if I could send the traffic on to something that could handle it, that my firewall would log the intended URL.
So I would like the IP address to actually respond, but since I am not sure what port the request goes to, I think that I need a server that will handle a wide range of ports (or better yet any port)

Seems like you just need a better firewall or increase the verbosity of your current firewall's logging.

Or maybe you are using NAT which means the destination IP for all externally initiated connections/sessions will always be your public IP.

What do you mean by "sinkhole"? It is best to just block all incoming connections. Be careful...

Hi, I am not addressing inbound traffic. My goal is to find outbound malicious traffic and try to find where it is trying to go. The sinkhole is an IP address that will be resolved when requests to my DNS are determined to be DNS requests for malware.

Is this a standard security practice? If not, I would go with a more common solution like a UTM. When it comes to security, unless I have a damn good reason, I like to follow standard security guidelines.

Does your DNS have a log of the malware DNS queries? If so, can you not just resolve them to their real IPs (instead of the sinkhole IP). I guess that still leaves the data transmitted unknown though. Are you running a layer7 firewall?

Maybe run tcpdump to sniff all data with the destination IP of your sinkhole IP?


Honestly, the level of detail and sophistication needed to accomplish your goals keeps becoming more and more complicated as I think about it. Like, how do you know the destination ports correlates with the service, like HTTP on port 21 instead of 80? How do you know the the data you return to the malware will not initiate a self-destruct or some other unwanted actions?

Once malware is found, I would just isolate and remove. Use honeypots and VMs to investigate live malware.

Well, the sinkhole already exists, and is a LAN IP address for which there is not machine. The firewall just drops the request.

But I found a couple of tools that do what I want. They are made to be honeypots:

HoneyD - free, but requires somewhat complex configuration. Services need to be set up with personalities describing how they will respond.
http://www.honeyd.org/index.php

KFSensor - kind of expensive at $600 but ready to respond to many common services out of the box
http://www.keyfocus.net/kfsensor/overview.php

MonkeyK said:

Well, the sinkhole already exists, and is a LAN IP address for which there is not machine. The firewall just drops the request.

But I found a couple of tools that do what I want. They are made to be honeypots:

HoneyD - free, but requires somewhat complex configuration. Services need to be set up with personalities describing how they will respond.
http://www.honeyd.org/index.php

KFSensor - kind of expensive at $600 but ready to respond to many common services out of the box
http://www.keyfocus.net/kfsensor/overview.php

Click to expand...

What exactly are you trying to do?

You might look into a virtualized honeynet, like HoneyDrive. Though, I have never heard of using a honeypot like you plan to.

Can you directly access the machine and attempt some rudimentry reverse engineering? A badass book on the subject is Practical Malware Analysis, written by some very over-qualified authors.

Nullity said:

What exactly are you trying to do?

Click to expand...

OK, As I step back from the problem, I think that I can do what I want without all the info.

Like I said, my firewall does not log the domain name for a DNS request that it blocks as a potentially malicious target. I was thinking that it would be nice to know the domain name, so my thought was that rather than deny the traffic, I would send it somewhere safe so that I could get an actual traffic log.

In truth, I probably don't really need to know the URL. I can just accept that the request was blocked and run a malware scan on the originating device.

And I find that I am wrong... Malware scan returned nothing. I need to know if the traffic simply originated from something on a web page. So I will be implementing something to capture more info.

If the firewall is performing DNS filtering, running a Wireshark capture on the affected PC with a simple display filter like "dns" would give you something to correlate the firewall logs to.