Internet Systematics Lab Honeynet Project Quarterly Report Q3/2003.
===================================================================

Current Setup

no changes from 2003Q2

Honeypots

1) Linux RedHat 7.3 - Syslog Server - Using IPChains FW

2) Linux RedHat 7.3 Default Installation

3)Windows 2000 SP2 Applied

Honeypot Services
-----------------------
1.windows networking
2.apache
3.wu-ftpd
4.mysqld
5.sendmail
6.syslogd
7.bind
8.ms-sql
9.Microsoft IIS


Data Capture Methods

1)Snort-2.0 Binary Capture
2)Snort-2.0 Alerts
3)Snort-2.0 ASCII SESSIONS
4)FW logs
5)Sebek2 - (Linux 2.01)
6)Remote Syslog Data

Data Control Methods
1)Connection Rate Limiting - IPTables (rc.firewall 0.7.2)
2)Snort-inline 2.0 - DROP mode


Management

1)Honeywall :
1. ssh access
2. Data Management - Custom scripts

2)Honeypots: Local console


Tools Used

In daily analysis we utilise the following tools.

1)ACID : analysis console
2)DEMARC: network security sonitor
3)ETHEREAL: free network protocol analyser
4)TCPSLICE: acquiring part of traffic from large binary logs based on
timestamp
5)NGREP : Searching for tags inside packet payload
6)EDITCAP : Spliting large binary traffic files in smaller managable sets
7)Custom Scripts (batch-analysis scripts): Batch DNS,WHOIS, Alert
Summarisation
8) sysprep : Enabling usage of a win2k honeypot image on diverse
hardware (great for forensics on live windows system)


Findings


Monitoring two different blackhat groups, one seems Rumanian (IRC chats)
and the other German (warez) who seem to leave and come back after a period.


Developments

1.Update second draft of Chapter 5 from the upcoming KYE-II book with
new Sebek material from E.Balas.
2.Contribute to the debugging of Sebek.
3.Advance graduate thesis by lab member "Buffer overflow snort
preprocessor", communicated to the RAID2002 Authors of "Abstract
Execution Payload based detetction". Point of interest is the fact that
the plugin was tested with Honeynet Data. Results of this work will be
available at ISLAB-HP-site.
4.Participate at the Annual Honeynet Team meeting
5.Two Full reports have been written (Greek), awaiting translation into
English about the captured hacks (W2K, LINUX) reported in 2003Q2
6. Alpha version of the package "Honey Stats" based on netgeo package
from Caida. Almost ready to release to Alliance


Plans for the Next Quarter


1.

Presentations


Hackmath with Honeynet, Yannis Corovesis
At 1st Hellenic Conference about Cyber Crime
Athens War Meseum, 24 -27 November 2003


2.

complete ISLab project "SNORT plugin for detecting buffer overflows"

3.

Release "Honey stats"package to the Alliance

4.

continue involvement with the Honeynet book

5.

Investigate virtual Honeynets