no changes from 2003Q2
Honeypots
1) Linux RedHat 7.3 - Syslog Server - Using IPChains FW
2) Linux RedHat 7.3 Default Installation
3)Windows 2000 SP2 Applied
Honeypot Services
-----------------------
1.windows networking
2.apache
3.wu-ftpd
4.mysqld
5.sendmail
6.syslogd
7.bind
8.ms-sql
9.Microsoft IIS
Data Capture Methods
1)Snort-2.0 Binary Capture
2)Snort-2.0 Alerts
3)Snort-2.0 ASCII SESSIONS
4)FW logs
5)Sebek2 - (Linux 2.01)
6)Remote Syslog Data
Data Control Methods
1)Connection Rate Limiting - IPTables (rc.firewall 0.7.2)
2)Snort-inline 2.0 - DROP mode
Management
1)Honeywall :
1. ssh access
2. Data Management - Custom scripts
2)Honeypots: Local console
Tools Used
In daily analysis we utilise the following tools.
1)ACID : analysis console
2)DEMARC: network security sonitor
3)ETHEREAL: free network protocol analyser
4)TCPSLICE: acquiring part of traffic from large binary logs based on
timestamp
5)NGREP : Searching for tags inside packet payload
6)EDITCAP : Spliting large binary traffic files in smaller managable sets
7)Custom Scripts (batch-analysis scripts): Batch DNS,WHOIS, Alert
Summarisation
8) sysprep : Enabling usage of a win2k honeypot image on diverse
hardware (great for forensics on live windows system)
Findings
Monitoring two different blackhat groups, one seems Rumanian (IRC chats)
and the other German (warez) who seem to leave and come back after a period.
Developments
1.Update second draft of
Chapter 5 from the upcoming KYE-II book with
new Sebek material from E.Balas.
2.Contribute to the debugging of Sebek.
3.Advance graduate thesis by lab member "Buffer overflow snort
preprocessor", communicated to the RAID2002 Authors of "Abstract
Execution Payload based detetction". Point of interest is the fact that
the plugin was tested with Honeynet Data. Results of this work will be
available at ISLAB-HP-site.
4.Participate at the Annual Honeynet Team meeting
5.Two Full reports have been written (Greek), awaiting translation into
English about the captured hacks (W2K, LINUX) reported in 2003Q2
6. Alpha version of the package "Honey Stats" based on netgeo package
from Caida. Almost ready to release to Alliance
Plans for the Next Quarter
1.
Presentations
Hackmath with Honeynet, Yannis Corovesis
At 1st Hellenic Conference about Cyber Crime
Athens War Meseum, 24 -27 November 2003
2.
complete ISLab project "SNORT plugin for detecting buffer overflows"
3.
Release "Honey stats"package to the Alliance
4.
continue involvement with the Honeynet book
5.
Investigate virtual Honeynets