Internet
Systematics Lab HoneyNet Project Quarterly Report Q4/2002.
Current
Setup
--------------------
Our
Setup has been fairly stable for the past months.
We are using a GEN-II Linux bridge running the fairly old Snort-IDG patch.
The Honeynet syslog server is protected by an extra firewall but is still
part of the honeyNET.
Our Setup(image)
Our Honeypots are both vmware based and standard honeypots with a variety
of Operating Systems.
Honeypot
Operating Systems List:
Linux RedHat 6.2,
Linux RedHat 7.0,
Linux RedHat 7.1,
Linux RedHat 7.2
Windows 98,
Windows 2000,
Windows NT 4.0
Debian GNU/Linux Sparc
Solaris 2.5, Sparc
Solaris 2.7 X86.
Sparc
platforms are currently offline due to hardware problems but spare parts
are arriving soon and will be online asap.
Honeypot
Services
windows networking
http
ftp
mysql
smtp
dns
The
main analysis tools used are ACID and Ethereal.
Findings / Developments
-----------------------------------
Our
primary focus for the past quarter was making all/new team members aware
of the components of Honeynet technology while integrating everyone in
the daily operation of our honeynet. Thus the following developments had
to be carried out:
I)
Developments
1)
Introduce a mailing list for honeynet alerts generated by the bridge,
so everyone is kept up to date.
2) Introduce a HoneyNet Data Managment and analysis Framework consisting
of:
a) Rearrange DCAP logging.
i) Date Based Tree Directory structure for storage of data
ii) Modified Snort Restart Script to handle data caption for more than
a year of data.
b)
Backend data storage/analysis server, so that any team member can access
the Data without directly interacting with the honeynet unless it is necessary,
consisting of:
i)
Pull data from the backend server through scp for increased security on
a daily basis.
ii) Md5 checksumed file transfers to retain data integrity.
iii) Central Snort/Acid/Demarc Database, updated daily.
iv) Patch ACID to support multiple users accessing different snort databases
through a single ACID installation(still in development)
c)
Support scripts for Data analysis.
i) Create Summary alerts of Portscans
ii) Perform batch who-is / DNS Lookups(Sam-Spade).
iii) Create a summary of Snort Alerts (in development)
iv) Create an Ethereal rule to exclude / single step through all ip's
found in portscans
v) Create simple text reports as a starting point for analysis.
vi) Store results in an analysis report Database for future correlation
(TODO/Wishlist)
d)
Visualisation aid for HoneyPot traffic
i) a graphical view of Honeynet traffic within a period of time (days
to months)
ii) draft paper on Visualization and interpreting what you see (in preparation
phase)
ii) Utilize the ROOT framework from Cern.
3)
Introduce a training lab setup to experiment with the Honeynet Bridge.
Utilize pentium class machines with small or no Hard Disk constisting
of:
i) Boot Diskless by using a single boot floppy (GRUB-only dependant on
NIC used )
ii)Totally configurable setup through DHCP (Kernel to load,IP address,Root
Partition to mount, etc.)
i) Use an NFS Shared Readonly Linux Instalation.
ii) Per Station write enabled / (root) and /usr/local file systems.
iii) Boot Floppy creation shell script
iv) Usage documentation (todo)
3.1)
Using the above setup we are currently testing: snort-inline versions
and BW Rate Limiting
II) Findings
HoneyNet
Data observation and analysis also gave us a great insight on the attack
behaviour and patterns of attack.
Unfortunately we haven't seen any fully successful (root privelege) attack
for this quarter.
We saw a lot of interesting activity, summarized below:
1)
All variants of the slapper worm
a) A manually performed attack using the same vulnerabillity, succeded
but not root access achieved. Probably a novice hacker or someone in script
preparation phase.
2) Much worm activity on windows networking.
a) Including worm sex-line auto dialer.
b) Spaming through windows messaging (port 135)
3) Solaris login vulnerabillity
4) Several http/open proxy and open smtp relays scans. Even some codered
activity.
5) MTP scans
6) Evasive scans (RST, SYN/ACK, etc)
7) very slow/stealthy scans.
III)
Presentations
The
following parallel activities took place were influenced by ISL' Honeynet
project and gave us opportunity to disseminate information about the Honeynet
Project.
1)
participate in the "Dependability" EU research planning activity
and initiate talks to promote interest in the Honeynet project.
2) partipate in the execution of a student project with Technical Institute
of Athens which will produce a SNORT pluggin which detects spoofing
3) participate in the usage and improvement of a secured chat server in
the final stage of a student project with Technical Institute of Athens.
Plans for the Next Quarter
--------------------------------------
This
quarter we plan to:
a) Support a greek version of our HoneyNet Project Site.
b) Focus on publications/ presentations
c) Collaborate with organizations in Greece/EU that are interested in
HoneyNets
d) Continue development of the tools (scripts) to alpha version for testing/usage
by interested Alliance members.
|