Internet Systematics Lab HoneyNet Project Quarterly Report Q4/2002.

Current Setup
--------------------

Our Setup has been fairly stable for the past months.
We are using a GEN-II Linux bridge running the fairly old Snort-IDG patch.
The Honeynet syslog server is protected by an extra firewall but is still part of the honeyNET.

Our Setup(image)

Honeypot Operating Systems List:
Linux RedHat 6.2,
Linux RedHat 7.0,
Linux RedHat 7.1,
Linux RedHat 7.2
Windows 98,
Windows 2000,
Windows NT 4.0
Debian GNU/Linux Sparc
Solaris 2.5, Sparc
Solaris 2.7 X86.

Sparc platforms are currently offline due to hardware problems but spare parts are arriving soon and will be online asap.

Honeypot Services
windows networking
http
ftp
mysql
smtp
dns

The main analysis tools used are ACID and Ethereal.

Findings / Developments
-----------------------------------

Our primary focus for the past quarter was making all/new team members aware of the components of Honeynet technology while integrating everyone in the daily operation of our honeynet. Thus the following developments had to be carried out:

I) Developments

1) Introduce a mailing list for honeynet alerts generated by the bridge, so everyone is kept up to date.
2) Introduce a HoneyNet Data Managment and analysis Framework consisting of:

a) Rearrange DCAP logging.
i) Date Based Tree Directory structure for storage of data
ii) Modified Snort Restart Script to handle data caption for more than a year of data.

b) Backend data storage/analysis server, so that any team member can access the Data without directly interacting with the honeynet unless it is necessary, consisting of:

i) Pull data from the backend server through scp for increased security on a daily basis.
ii) Md5 checksumed file transfers to retain data integrity.
iii) Central Snort/Acid/Demarc Database, updated daily.
iv) Patch ACID to support multiple users accessing different snort databases through a single ACID installation(still in development)

c) Support scripts for Data analysis.
i) Create Summary alerts of Portscans
ii) Perform batch who-is / DNS Lookups(Sam-Spade).
iii) Create a summary of Snort Alerts (in development)
iv) Create an Ethereal rule to exclude / single step through all ip's found in portscans
v) Create simple text reports as a starting point for analysis.
vi) Store results in an analysis report Database for future correlation (TODO/Wishlist)

d) Visualisation aid for HoneyPot traffic
i) a graphical view of Honeynet traffic within a period of time (days to months)
ii) draft paper on Visualization and interpreting what you see (in preparation phase)
ii) Utilize the ROOT framework from Cern.

3) Introduce a training lab setup to experiment with the Honeynet Bridge. Utilize pentium class machines with small or no Hard Disk constisting of:
i) Boot Diskless by using a single boot floppy (GRUB-only dependant on NIC used )
ii)Totally configurable setup through DHCP (Kernel to load,IP address,Root Partition to mount, etc.)
i) Use an NFS Shared Readonly Linux Instalation.
ii) Per Station write enabled / (root) and /usr/local file systems.
iii) Boot Floppy creation shell script
iv) Usage documentation (todo)

3.1) Using the above setup we are currently testing: snort-inline versions and BW Rate Limiting

II) Findings

HoneyNet Data observation and analysis also gave us a great insight on the attack behaviour and patterns of attack.
Unfortunately we haven't seen any fully successful (root privelege) attack for this quarter.
We saw a lot of interesting activity, summarized below:

1) All variants of the slapper worm
a) A manually performed attack using the same vulnerabillity, succeded but not root access achieved. Probably a novice hacker or someone in script preparation phase.
2) Much worm activity on windows networking.
a) Including worm sex-line auto dialer.
b) Spaming through windows messaging (port 135)
3) Solaris login vulnerabillity
4) Several http/open proxy and open smtp relays scans. Even some codered activity.
5) MTP scans
6) Evasive scans (RST, SYN/ACK, etc)
7) very slow/stealthy scans.

III) Presentations

The following parallel activities took place were influenced by ISL' Honeynet project and gave us opportunity to disseminate information about the Honeynet Project.

1) participate in the "Dependability" EU research planning activity and initiate talks to promote interest in the Honeynet project.
2) partipate in the execution of a student project with Technical Institute of Athens which will produce a SNORT pluggin which detects spoofing
3) participate in the usage and improvement of a secured chat server in the final stage of a student project with Technical Institute of Athens.

Plans for the Next Quarter
--------------------------------------

This quarter we plan to:

a) Support a greek version of our HoneyNet Project Site.
b) Focus on publications/ presentations
c) Collaborate with organizations in Greece/EU that are interested in HoneyNets
d) Continue development of the tools (scripts) to alpha version for testing/usage by interested Alliance members.