1 / 27

Honeynet/Honeypot Project

Honeynet/Honeypot Project. Leslie Cherian Todd Deshane Patty Jablonski Creighton Long. May 2, 2006. Overview. Honeynet/Honeypot Background Setting Up Our Own Honeypot VM VMware Snort Tripwire Filemon, Regmon Ethereal Demo – Port Scan, Install Spyware. Honeypots.

Télécharger la présentation

Honeynet/Honeypot Project

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Honeynet/Honeypot Project Leslie Cherian Todd Deshane Patty Jablonski Creighton Long May 2, 2006

  2. Overview • Honeynet/Honeypot Background • Setting Up Our Own Honeypot VM • VMware • Snort • Tripwire • Filemon, Regmon • Ethereal • Demo – Port Scan, Install Spyware

  3. Honeypots • From the Honeynet Project: • “A honeypot is an information system resource whose value lies in unauthorized or illicit use of that resource • Has no production value, anything going to or from a honeypot is likely a probe, attack or compromise • Primary value to most organizations is information”

  4. Honeynets • From the Honeynet Project: • “High-interaction honeypot designed to capture in-depth information • Information has different value to different organizations • It’s an architecture you populate with live systems, not a product or software • Any traffic entering or leaving is suspect”

  5. The Honeynet Project http://www.honeynet.org/ • Non-profit volunteer research organization dedicated to improving the security of the Internet at no cost to the public • Its mission is to learn the tools, tactics and motives involved in computer and network attacks, and share the lessons learned

  6. The Honeynet Project • Organizations that are actively involved in honeypot research can join The Honeynet Project’s Research Alliance • Members of The Honeynet Project and the Research Alliance provide open source honeypot-related tools for download • Honeywall CD • Consider joining The Honeynet Project

  7. Honeynet Project Architecture

  8. Honeynet/Honeypot Project http://www.clarkson.edu/projects/itl/projects/honey/ • The goal for this project is to set up a honeypot virtual machine to research and analyze various attacks • We hope to have a well-documented and easy-to-use "malware analyzer" that reports on the degree of malicious intent of a given piece of software

  9. Honeynet/Honeypot Project • This project was done in association with the Clarkson Internet Teaching Laboratory and as part of the Network Security class • Setting Up Our Own Honeypot VM • VMware • Snort • Tripwire • Filemon, Regmon • Ethereal

  10. Our Honeypot VM Architecture

  11. VMware • Virtual machine monitor (VMM) • Full virtualization • Unmodified base operating system • Allows for Windows guest • Supports virtual networks • Bridged network • NAT (routed) network • Private network: host only, virtually switched

  12. Snort • Network Intrusion Detection System (NIDS) • Allows for monitoring of: • Local machine • Machines on your local network • Basic usage • snort -i <interface> -c <config file> • Log file • /var/log/snort/alert

  13. Snort Rules • Official Snort Rules • Bleeding-Edge Snort Rules • Write Your Own Rules • Rules Management

  14. Official Snort Rules • Subscription-based • Current rules, highest quality: too expensive • Registration-based • 5-day-old subscription ruleset: recommended • Unregistered • Only updated with each major release of Snort: stale • Community • Submitted by members of the community and minimally tested

  15. Bleeding-Edge Snort Rules • Volunteer run • Free Snort signature development • Released quickly • Organized into rulesets • Bleeding Snort Ruleset Manager • Works with Oinkmaster

  16. Write Your Own Snort Rules • Rule Header • Contains the action to perform, the protocol that the rule applies to, and the source and destination addresses and ports • Options • Descriptive message, check other packet attributes using Snort's plug-ins, etc • General Form • action proto src_ip src_port direction dst_ip dst_port (options) • Example • alert tcp 192.168.1.2 any -> any any (msg:"Outbound traffic from 192.168.1.2";) • Alerts on any traffic coming from 192.168.1.2

  17. Snort Rules Management • Many available for Windows and Linux • Oinkmaster • Keeps snort rules current • Perl script, cron job to update your rulesets whenever your ruleset repository (official, bleeding, etc) is updated • Update current ruleset with your modifications from previous rulesets • Bleeding Snort Ruleset Manager • Snort Policy Manager

  18. Tripwire • Monitors critical system files actively • Provides immediate notification of changes that occur passively • Allows for event log correlation • Flexible policy file language • Integrate with third party EMS systems like Remedy AR system, IBM Tivoli, etc

  19. Tripwire

  20. Tripwire Commands • Create a new policy file • twadmin --create-polfile <policyfile.txt> • Initialize the database file • tripwire --init • Run an integrity check of the system • tripwire --check --report-file <reportfile.twr> • Print the report file to a readable format • twprint --print-report --report-file <reportfile.twr> -F <format> -o <reportfile.<format>>

  21. Filemon • Monitors real time access to file on a Windows computer • Commercial version also available from sysinternals • Weaknesses • Requires user interaction

  22. Regmon • Monitors real time access to the Windows registry • Free version doesn’t allow: • Capturing log file in real time • Monitoring of remote computers • Commercial version available from sysinternals

  23. Regmon • Weaknesses • Requires user interaction and knowledge to be useful • Output is noisy and confusing • Not a good way to log changes • Checkpointing registry is not available

  24. Ethereal • Network Protocol Analyzer • Why we used it • Passively monitors network traffic • How we used it • On the base to monitor all traffic • Tethereal • Command line version of Ethereal

  25. Future Work • Try alternative architectures • Try other IDSes and tools • More attacks/malware for testing • Integrated GUI • User-level documentation • Break into two software packages • Honeypot and malware analyzer

  26. Demo

  27. Questions/Comments

More Related