1.0 DEPLOYMENTS
=================
1.1 Current technologies deployed:
ISLAB Honeynet deployment is shown in the recent book KYE chapter 5 pages:133-181
The section "Types of Honeynets" in our site www.honeynet.org.gr also shows diagrams
and other details.
We have moved to the third wave of our honeynet deployment.
Honeywall: One manually developed and one CDROM 0.68 rc7 based.
We have changed the address space 3 times over which our honeynet operates.
we have an agreement with an ISP for tunneling but implementation has delayed.
Honeypots:
RH 7.3 default, DNS server, mySQL, Apache
Win2000 Prof, IIS server, MSSQL
RH 7.3 default, syslog server
RH 9.0 custom-full, http, https (apache), smtp (sendmail), ftp (vsftpd), cups,
portmap, rpc,statd, X11, pop3
WinXP Prof ICQ, Kazaa Media Desktop 2.6, Demeware mini control 4.0, remote
admin 2.1,
windows services
RH 9.0 custom ? full, fully patched, syslog, ssh
1.2 Lessons learned from the technology, what you like about it.
We are ready to upload to kanga. This feature we expect will
make a substantial difference to how we operate now.
1.3 Lessons learned from the technology, what is lacking, what you
would like to see improved:
Sebek provides much uselless data in full mode (e.g X11 events).
In Keystroke only, we miss things like scp transfers.
An option mode which only does Keystrokes and scp transfers is a useful feature.
2.0 FINDINGS
=============
2.1Number and type of systems compromised during six month period:
Honeypot RH9 via brute force password guessing on SSH
Honeypot WInXP by W32.Korgo.Virus
Honeypot WinXP by W32.Spybot.Worm
Honeypot WinXP by RADMIN
Linux compromise by Italians but due to problems missed the case (see Lessons)
Various scans on ports: 25, 57, 80, 135, 137, 554, 1023, ms-sql-s, 4444, 5554, 6129, 8000, 9898, 41073, 9898, 5554, 1023, 17300, 135/TCP,4444, auth smtp, 3127, 1080, https, 2000, 10080,3128,6129, 8000, 44334 ftp, pop3, imap, ldap, 515(printer), 554 (rtsp),ms-sql-s, 3389 MS Terminal Services, 3306 mysql, 111 sunrpc.
2.2 Highlight any unique findings, attacks, tools, or methods:
A GPRS tunneling after a DCOM/RPC buffer overflow (???).
Date: 14/07/2004
Honeypot : Hpot2-Honey-2-D3
Ôype of attack: Buffer overflow
Port : 135/TCP GPRS Tunneling protocol , looks like DCOM/RPC
Result: failed attack
Vulnerability : ressembles Network Detect: Microsoft DCOM/RPC Buffer Overflow
- Microsoft alert MS03-026 - bugtraqID 8205
Method of attack: Remote Buffer Overflow
>From a tcpdump packet it seems it tries to access ôï C$\123456111111111111111.DOC
Perhaps a bad packet but there more packets that decode as GPRS by ethereal.
Found packets with multicast IP address outgoing a compromided honeypot, it
was
due to a error in the loop count of a script !
2.3 Any trends seen in the past six months;
There exist periods where honeypots are relative quiet, increasing no. of probes
2.4 Document data analysis tools and methods being used:
We have completed a 100-page document, describing the training experience
over 6 months of a student learning to operate our honeynet.
This will serve as an introductory course for the next cycle of University students
in the Lab.
2.5 For data analysis what tools work well, and what still needs to be
developed.
ACID, DEMARC, ETHEREAL, TCPDUMP, TCPSLICE, NGREP, EDITCAP, SYSPREP
need to work with HSC and/or the new facilities being developed by the Honeynet
Project
Sebek presents some problems with useless data
3.0 MISC ACTIVITIES
====================
3.1Presenting at conferences:
NETTIES 2004 HUNGARY
Jointly propose a paper with the Technical Institute of Athens about a project
we do together 'Detecting BoF using Abstract Execution Payload' tested
with Honeynet Data to help tune the algorithm.
We presented to Technica Institute in Athens in a workshop the basic concepts
tools and methods Honeynet technology
We present this month in a big conference COMDEX about Open Source and Learning
the case of the Honeynet Project's approach to security learning will be used
as an example.
3.2 Developing, testing or releasing code
Develop our Data Management System [centralised data pulled from Honeywall
and EEYORE,
software RAID, mySQL, tree file structure, wiki tracking of deployment changes,
wiki store format of analysis reports for cross-referencing and collaboration
(see "types of honeynets" section of our project's server)
Tested the Sebek linux client
Release code (snort pluggin for icmp-spoof detection and
snort pluggin for buffer-overflow-with-sledge exploit detection)
3.3 Publication of papers
3.4 Involvement in SotM challenges
3.5 Other:
4.0 ORGANIZATIONAL
==================
4.1 Changes in your structure of your organization:
We have started talks with one key organisation to scale the Greek Honeynet
Project.
(book is helping a lot our effort).
We are focusing on introducing Honeynet Technology to Universities.
We have started collaboration with a Technical Institute in Athens.
5.0 LESSONS LEARNED
===================
5.1 What positive things can you share with the community, so they can
replicate your success:
The postnuke/wiki knowledge sharing environment has helped us a lot in our effort
to put some procedures of analysing the collected data and sharing related knowledge.
The same problems and issues occur over and over so a way to digitally store
key information is important.
We alsodeploy a recording machine on our technical meetings. We thus create
a pool of "trucks of knowledge"
in digital format that can be passed on to newcomers.
This is necessary in enviroments like ours that man power comes from universities
where the turnover of membership is high.
5.2 What mistakes can you share with the community, so they don't make
the same mistakes:
Sebek does not restart after re-boot, lost valuable information of a hack case
on a linux honeypot
that did not re-boot well. Snort misfunctioned so lost info on blackhat's tools.
Missed running a third Snort process on the Bridge so had missing packets, using the CDROM will prevent some problems with the manually developed honeywall (bridge)
6.0 FUTURE GOALS
================
6.1Plans/Goals for next six months
- Get experience with uploading and accessing Data on the Kanga and use EEYORE
- Establish the content of KYE book 2004 as the material that university labs
can explore
by student projects of practical orientation
- Increase the knowledge content of PostNuke (currently standing at 300 news items, and 5 personal sites, 100 wiki analysis reports), continue live test with new students.
- Test the distributed honeynet case