analyzing honeypot traffic - wireshark...• practice using packet analysis tools • wireshark...
TRANSCRIPT
![Page 1: Analyzing Honeypot Traffic - Wireshark...• Practice using packet analysis tools • Wireshark profiles • Zeek is new to me • What Suricata detects • So I can talk to all of](https://reader035.vdocuments.us/reader035/viewer/2022062610/611fb2c1090e662663752ba3/html5/thumbnails/1.jpg)
#sf20v • Online • October 12-16
SharkFest’20 Virtual
#sf20v • Online • October 12-16
Analyzing Honeypot TrafficChumming shark infested waters
Tom PetersonCloudShark
![Page 2: Analyzing Honeypot Traffic - Wireshark...• Practice using packet analysis tools • Wireshark profiles • Zeek is new to me • What Suricata detects • So I can talk to all of](https://reader035.vdocuments.us/reader035/viewer/2022062610/611fb2c1090e662663752ba3/html5/thumbnails/2.jpg)
#sf20v • Online • October 12-16
What we’ll be talking about
• What a honeypot is • Different types of honeypots • A running example • Accepts and listens to TCP connections
• Look at some captures • Wireshark, Suricata, Zeek
![Page 3: Analyzing Honeypot Traffic - Wireshark...• Practice using packet analysis tools • Wireshark profiles • Zeek is new to me • What Suricata detects • So I can talk to all of](https://reader035.vdocuments.us/reader035/viewer/2022062610/611fb2c1090e662663752ba3/html5/thumbnails/3.jpg)
#sf20v • Online • October 12-16
Who
• Tom • I 💙 packets • Live in New Hampshire • Got my start at the IOL@UNH • Work at QA Cafe • Presented last year! • Excited to be at SharkFest! • [email protected]
![Page 4: Analyzing Honeypot Traffic - Wireshark...• Practice using packet analysis tools • Wireshark profiles • Zeek is new to me • What Suricata detects • So I can talk to all of](https://reader035.vdocuments.us/reader035/viewer/2022062610/611fb2c1090e662663752ba3/html5/thumbnails/4.jpg)
#sf20v • Online • October 12-16
Why did I do this
• I 💙 packets • Internet is like shark infested waters • What happens when you listen to everything • Practice using packet analysis tools • Wireshark profiles • Zeek is new to me • What Suricata detects
• So I can talk to all of you!
![Page 5: Analyzing Honeypot Traffic - Wireshark...• Practice using packet analysis tools • Wireshark profiles • Zeek is new to me • What Suricata detects • So I can talk to all of](https://reader035.vdocuments.us/reader035/viewer/2022062610/611fb2c1090e662663752ba3/html5/thumbnails/5.jpg)
#sf20v • Online • October 12-16
History
• Cuckoo’s Egg - Clifford Stoll (1989) • First example of honey pot • Alert when attacker connected • Monitored everything typed • Fake documents to entice hacker • Keynote at SharkFest 2012
![Page 6: Analyzing Honeypot Traffic - Wireshark...• Practice using packet analysis tools • Wireshark profiles • Zeek is new to me • What Suricata detects • So I can talk to all of](https://reader035.vdocuments.us/reader035/viewer/2022062610/611fb2c1090e662663752ba3/html5/thumbnails/6.jpg)
#sf20v • Online • October 12-16
How to define
• Look like a valid network resource • No valid user should access it • Monitored • We want PCAPs!
• Alert on actions • IDS rule • E-mail
![Page 7: Analyzing Honeypot Traffic - Wireshark...• Practice using packet analysis tools • Wireshark profiles • Zeek is new to me • What Suricata detects • So I can talk to all of](https://reader035.vdocuments.us/reader035/viewer/2022062610/611fb2c1090e662663752ba3/html5/thumbnails/7.jpg)
#sf20v • Online • October 12-16
What can they do
• Detect attackers • Inside firewall
• Waste their resources • Threat hunting • Curiosity and fun!
![Page 8: Analyzing Honeypot Traffic - Wireshark...• Practice using packet analysis tools • Wireshark profiles • Zeek is new to me • What Suricata detects • So I can talk to all of](https://reader035.vdocuments.us/reader035/viewer/2022062610/611fb2c1090e662663752ba3/html5/thumbnails/8.jpg)
#sf20v • Online • October 12-16
XKCD Comic
![Page 9: Analyzing Honeypot Traffic - Wireshark...• Practice using packet analysis tools • Wireshark profiles • Zeek is new to me • What Suricata detects • So I can talk to all of](https://reader035.vdocuments.us/reader035/viewer/2022062610/611fb2c1090e662663752ba3/html5/thumbnails/9.jpg)
#sf20v • Online • October 12-16
General Classifications
• Production/Research • Level of interactivity • Low - Listen on port and alert on connection • High - Fake/emulated service • Pure - A real device
• Honey nets • A whole collection emulating a network
• There are different types
![Page 10: Analyzing Honeypot Traffic - Wireshark...• Practice using packet analysis tools • Wireshark profiles • Zeek is new to me • What Suricata detects • So I can talk to all of](https://reader035.vdocuments.us/reader035/viewer/2022062610/611fb2c1090e662663752ba3/html5/thumbnails/10.jpg)
#sf20v • Online • October 12-16
Detection Honeypot
• Really interesting idea • My home router has one • Listens on common ports • Alerts on any connection to that port
• Chris Sanders new book all about this
![Page 11: Analyzing Honeypot Traffic - Wireshark...• Practice using packet analysis tools • Wireshark profiles • Zeek is new to me • What Suricata detects • So I can talk to all of](https://reader035.vdocuments.us/reader035/viewer/2022062610/611fb2c1090e662663752ba3/html5/thumbnails/11.jpg)
#sf20v • Online • October 12-16
Tarpit
• First instance was LaBrea • Used to exhaust attackers resources • TCP fake SYN/ACK in 3-way handshake • Other side keeps sending ACK
• Endless SSH • HTTP drag out response as long as possible • So many bots out there though!
![Page 12: Analyzing Honeypot Traffic - Wireshark...• Practice using packet analysis tools • Wireshark profiles • Zeek is new to me • What Suricata detects • So I can talk to all of](https://reader035.vdocuments.us/reader035/viewer/2022062610/611fb2c1090e662663752ba3/html5/thumbnails/12.jpg)
#sf20v • Online • October 12-16
My honeypot
• Curious what happens on the internet • Digital Ocean • Accepts any TCP connection • Just listens, never sends data • Captures the packets!
![Page 13: Analyzing Honeypot Traffic - Wireshark...• Practice using packet analysis tools • Wireshark profiles • Zeek is new to me • What Suricata detects • So I can talk to all of](https://reader035.vdocuments.us/reader035/viewer/2022062610/611fb2c1090e662663752ba3/html5/thumbnails/13.jpg)
#sf20v • Online • October 12-16
How does it work
• Digital Ocean • CentOS 7 droplet • Added NAT interface • Forward all ports to single port on NAT interface • Netcat listens on NAT interface • Ringbuffer for capturing
![Page 14: Analyzing Honeypot Traffic - Wireshark...• Practice using packet analysis tools • Wireshark profiles • Zeek is new to me • What Suricata detects • So I can talk to all of](https://reader035.vdocuments.us/reader035/viewer/2022062610/611fb2c1090e662663752ba3/html5/thumbnails/14.jpg)
#sf20v • Online • October 12-16
Diagram
![Page 15: Analyzing Honeypot Traffic - Wireshark...• Practice using packet analysis tools • Wireshark profiles • Zeek is new to me • What Suricata detects • So I can talk to all of](https://reader035.vdocuments.us/reader035/viewer/2022062610/611fb2c1090e662663752ba3/html5/thumbnails/15.jpg)
#sf20v • Online • October 12-16
What happened
• Statistics • Interesting finds • How I analyze the pcap data • Suricata • Zeek • Wireshark
![Page 16: Analyzing Honeypot Traffic - Wireshark...• Practice using packet analysis tools • Wireshark profiles • Zeek is new to me • What Suricata detects • So I can talk to all of](https://reader035.vdocuments.us/reader035/viewer/2022062610/611fb2c1090e662663752ba3/html5/thumbnails/16.jpg)
#sf20v • Online • October 12-16
Stats
• In 1 day • 456731 packets • 4678 Endpoints • 621 from China • 120 High severity alerts • 8947 RDP Attempts • 1560 SSH Attempts
![Page 17: Analyzing Honeypot Traffic - Wireshark...• Practice using packet analysis tools • Wireshark profiles • Zeek is new to me • What Suricata detects • So I can talk to all of](https://reader035.vdocuments.us/reader035/viewer/2022062610/611fb2c1090e662663752ba3/html5/thumbnails/17.jpg)
#sf20v • Online • October 12-16
Tools
• Wireshark • Suricata • Zeek • CloudShark
![Page 18: Analyzing Honeypot Traffic - Wireshark...• Practice using packet analysis tools • Wireshark profiles • Zeek is new to me • What Suricata detects • So I can talk to all of](https://reader035.vdocuments.us/reader035/viewer/2022062610/611fb2c1090e662663752ba3/html5/thumbnails/18.jpg)
#sf20v • Online • October 12-16
Wireshark
• Looking directly at packets • All the data • All of it • Profiles • Filters • Analysis Tools
![Page 19: Analyzing Honeypot Traffic - Wireshark...• Practice using packet analysis tools • Wireshark profiles • Zeek is new to me • What Suricata detects • So I can talk to all of](https://reader035.vdocuments.us/reader035/viewer/2022062610/611fb2c1090e662663752ba3/html5/thumbnails/19.jpg)
#sf20v • Online • October 12-16
Suricata
• Signature based • Needs to be something previously seen • Stream data • Create filter for pcap
![Page 20: Analyzing Honeypot Traffic - Wireshark...• Practice using packet analysis tools • Wireshark profiles • Zeek is new to me • What Suricata detects • So I can talk to all of](https://reader035.vdocuments.us/reader035/viewer/2022062610/611fb2c1090e662663752ba3/html5/thumbnails/20.jpg)
#sf20v • Online • October 12-16
Zeek
• Behavior based • Generates log files • Custom Zeek scripts • Plugins • Display info from pcap data • Can create filter for pcap too
![Page 21: Analyzing Honeypot Traffic - Wireshark...• Practice using packet analysis tools • Wireshark profiles • Zeek is new to me • What Suricata detects • So I can talk to all of](https://reader035.vdocuments.us/reader035/viewer/2022062610/611fb2c1090e662663752ba3/html5/thumbnails/21.jpg)
#sf20v • Online • October 12-16
CloudShark
• Web interface • These are the tools under the hood • I’ll make it clear which tools are generating the
data we’re seeing
![Page 22: Analyzing Honeypot Traffic - Wireshark...• Practice using packet analysis tools • Wireshark profiles • Zeek is new to me • What Suricata detects • So I can talk to all of](https://reader035.vdocuments.us/reader035/viewer/2022062610/611fb2c1090e662663752ba3/html5/thumbnails/22.jpg)
#sf20v • Online • October 12-16
PCAP Time
![Page 23: Analyzing Honeypot Traffic - Wireshark...• Practice using packet analysis tools • Wireshark profiles • Zeek is new to me • What Suricata detects • So I can talk to all of](https://reader035.vdocuments.us/reader035/viewer/2022062610/611fb2c1090e662663752ba3/html5/thumbnails/23.jpg)
#sf20v • Online • October 12-16
Interesting finds
• Way more RDP traffic than expected • Very common way to get in
• Not so friendly sip scanner • Looks like machine was a CnC server • Could we take those bitcoins? • Infected machine sending a password!?!
![Page 24: Analyzing Honeypot Traffic - Wireshark...• Practice using packet analysis tools • Wireshark profiles • Zeek is new to me • What Suricata detects • So I can talk to all of](https://reader035.vdocuments.us/reader035/viewer/2022062610/611fb2c1090e662663752ba3/html5/thumbnails/24.jpg)
#sf20v • Online • October 12-16
Wrap-up
• All tools have advantages/disadvantages • Number of connections/packets makes pcap
analysis tricky • Zeek is an interesting tool. • Lots of data when you listen for it
![Page 25: Analyzing Honeypot Traffic - Wireshark...• Practice using packet analysis tools • Wireshark profiles • Zeek is new to me • What Suricata detects • So I can talk to all of](https://reader035.vdocuments.us/reader035/viewer/2022062610/611fb2c1090e662663752ba3/html5/thumbnails/25.jpg)
#sf20v • Online • October 12-16
Resources
• github.com/thomasp11/sf20 • Cuckoo’s Egg - Cliff Stoll • Honeynet • SANS ISC • Intrusion Detection Honeypots: Detection
Through Deception - Chris Sanders