Honey Inspector Mike Clark Honeynet Project. Honeynet Inspector  Background.

Slides:



Advertisements
Similar presentations
© 2004 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice Installation & management of SUSE.
Advertisements

Security Administration Tools and Practices Amit Bhan Usable Privacy and Security.
Snort & ACID. UTSA IS 6973 Computer Forensics SNORT.
1 Chapter 7 Intrusion Detection. 2 Objectives In this chapter, you will: Understand intrusion detection benefits and problems Learn about network intrusion.
The Most Analytical and Comprehensive Defense Network in a Box.
Axxon Intellect Lite Product Overview.
MONITORING TOOLS Open Source Security Tools to monitor your network.
Intrusion Detection Systems By: William Pinkerton and Sean Burnside.
Use of Honey-pots to Detect Exploited Systems Across Large Enterprise Networks Ashish Gupta Network Security May 2004
1.  To analyze and explain the IDS placement in network topology  To explain the relationship between honey pots and IDS  To explain, analyze and evaluate.
Monitoring a Large-Scale Network: Selecting the Right Tool Sayadur Rahman United International University & Network Manager, Financial Service.
NETWORK SECURITY INTRUSION DETECTION SYSTEMS (IDS) KANDIAH.M Clarkson University, Potsdam, New York.
Snort - an network intrusion prevention and detection system Student: Yue Jiang Professor: Dr. Bojan Cukic CS665 class presentation.
Analysis Console for Intrusion Databases Roy. Description ACID.
1 Host Based Intrusion Detection: Analyzing System Logs Bob Winding, Vikram Ahmed University of Notre Dame 12/13/2006.
Use of Honey-pots to Detect Exploited Systems Across Large Enterprise Networks Ashish Gupta Network Security May 2004
Information Networking Security and Assurance Lab National Chung Cheng University Analysis Console for Intrusion Databases.
Govt. Engineering College Bikaner A PROJECT Presentation ON STUDY AND IMPLEMENTATION OF ADVANCE IDS SECURITY.
Honeywall CD-ROM. 2 Developers and Speakers  Dave Dittrich University of Washington  Rob McMillen USMC  Jeff Nathan Sygate  William Salusky AOL.
Bandwidth, System, and Network Monitoring Tools at OEA.
Lecture 11 Intrusion Detection (cont)
INTRUSION DETECTION SYSTEM
Your Network Security Babelfish a.k.a. Security Event Actionable Log Parser Mike Halsall & Graeme Connell ©, Michael T. Halsall, 2006.
AxxonSoft Company Profile Products overview References.
Appliance Firewalls A Technology Review By: Brent Huston T h e B l a c k H a t B r i e f i n g s July 7-8, 1999 Las Vegas.
USENIX LISA ‘99 Conference © Copyright 1999, Martin Roesch Snort - Lightweight Intrusion Detection for Networks Martin Roesch.
Network Security Monitoring By Bea Wilds CS Dec 06.
Firewalls CS432. Overview  What are firewalls?  Types of firewalls Packet filtering firewalls Packet filtering firewalls Sateful firewalls Sateful firewalls.
Simulation of IDS by using Activeworx Security Center (ASC) and Snort, MySQL, CommView Presented by Shamsul Wazed & Quazi Rahman School of Computer Science.
IDS Mike O’Connor Eric Tallman Matt Yasiejko. Overview IDS defined IDS defined What it does What it does Sample logs Sample logs Why we need it Why we.
By: Paul Albert.  Project Description  Design Protocols  User Profiles  Deliverables  Timeline  Budget  Demonstration  Conclusion.
Penetration Testing Security Analysis and Advanced Tools: Snort.
Distributed IDS The implementation of a Distributed Intrusion Detection System over a medium scale open network where the focus is availability of services.
IDS – Intrusion Detection Systems. Overview  Concept  Concept : “An Intrusion Detection System is required to detect all types of malicious network.
Kirby Kuehl Honeynet Project Member 05/08/2002 Intrusion Deception.
The Most Analytical and Comprehensive Defense Network in a Box.
What is FORENSICS? Why do we need Network Forensics?
Passive Visual Fingerprinting of Network Attack Tools Gregory Conti Kulsoom Abdullah College of Computing Georgia Institute of Technology Passive.
HoneyD (Part 2) Small Business NIDS This presentation demonstrates the ability for Small Businesses to emulate virtual operating systems and conduct.
Cyberoam - Unified Threat Management Unified Threat Management Cyberoam Copyright 2010 Elitecore Technologies Ltd. All rights reserved.
Distributed IDS The implementation of a Distributed Intrusion Detection System over a medium scale open network where the focus is availability of services.
What is a “Network Intrusion Detection System (NIDS)"?
CSCI 530 Lab Intrusion Detection Systems IDS. A collection of techniques and methodologies used to monitor suspicious activities both at the network and.
Increased Lower Cost. IT Services Customized Programming Data Processing Reports Mechanized Data Entry Server Support / PC Support Systems.
ABC Manufacturing Demonstration of Attendance Enterprise.
How to create DNS rule that allow internal network clients DNS access Right click on Firewall Policy ->New- >Access Rule Right click on Firewall.
Software Research, Inc. Setting the Standard for Software Testing Windows Solution.
A Networked Machine Management System 16, 1999.
1 Quick Overview Overview Network –IPTables –Snort Intrusion Detection –Tripwire –AIDE –Samhain Monitoring & Configuration –Beltaine –Lemon –Prelude Conclusions.
SNORT Biopsy: A Forensic Analysis on Intrusion Detection System By Asif Syed Chowdhury.
Network Management Protocols and Applications Cliff Leach Mike Looney Danny Mar Monty Maughon.
The Real Deal With SIM/SEM The Promise of Security Information / Event Management Scott Sidel Sr. Security Manager Computer Sciences Corp.
Alert Logic Provides a Fully Managed Security and Compliance Solution Based in the Cloud, Powered by the Robust Microsoft Azure Platform MICROSOFT AZURE.
Investigation and Evaluation of Systems for Generating Automatic Alerts Using Honeynet Data Master’s Thesis Seminar Presentation Esko Harjama.
1 HoneyNets. 2 Introduction Definition of a Honeynet Concept of Data Capture and Data Control Generation I vs. Generation II Honeynets Description of.
Intrusion Intrusion Detection Systems with Snort Hailun Yan 564-project.
1 HoneyNets, Intrusion Detection Systems, and Network Forensics.
Department of Computer Science and Engineering Applied Research Laboratory Architecture for a Hardware Based, TCP/IP Content Scanning System David V. Schuehler.
Snort - Lightweight Intrusion Detection for Networks YOUNG Wo Sang Program Committee, PISA
Network Security Major Problems Network Security Major Problems Why Firewall? Why Firewall? Problems with Firewalls Problems with Firewalls What is.
Digital Forensics Dr. Bhavani Thuraisingham The University of Texas at Dallas Network Forensics - III November 3, 2008.
KAPLAN SCHOOL OF INFORMATION SYSTEMS AND TECHNOLOGY Intrusion Detection and Incidence Response Course Name – IT Intrusion Detection and Incidence.
Network Security Terms. Perimeter is the fortified boundary of the network that might include the following aspects: 1.Border routers 2.Firewalls 3.IDSs.
Logging Methods ✦ Argus – QoSient, LLC – Carter Bullard ✧ ✧ OpenSource effort and proprietary version ✧ Same flow model, performance and scaling ✧ Origin/History:
SNORT! Among other things. Description Open source ids/ips Real-time analysis: alerting, blocking, logging Real-time response: alerting, session sniping,
Ethan Galstad What Is Nagios? What Nagios Is IT Infrastructure Monitoring.
Snort – IDS / IPS.
SNORT.
Logsign All-In-One Security Information and Event Management (SIEM) Solution Built on Azure Improves Security & Business Continuity MICROSOFT AZURE APP.
COSadmin COSC513 Ping Lu.
Presentation transcript:

Honey Inspector Mike Clark Honeynet Project

Honeynet Inspector  Background

What is it?  Set of Perl CGI Scripts  Firewall/IDS Logs  MySQL IDS

How it Works  Fisq script imports firewall logs  IDS(Snort) logs to the DB  IDS(Snort) also records traffic in pcap format  Inspector drills down using all of these

Inspector High Level  Shows connections and drill down options  4 methods of alerting  Packet Count  Connection size (byte)  IDS(Snort) alerts  Inbound/Outbound

Drilling Down  Connection View  Arin/whois/dig lookup  Snort alerts  p0f  Plugins

Plugins  Honey Extractor  IRC View

Advantages  Quick  Easily extendable  High chance of detecting activity  Web based

Disadvantages  Not scalable  Not very nice looking

Future  Perl module  Nicer interface  Graphing  Customizable Report Engine

Questions?

Enterprise Security Console Jeff Dell Activeworx, Inc.

Speaker  Jeff Dell, Florida Honeynet Project  Florida Honeynet: Responsible Network Forensics  Honeynet Alliance: Central Database

Problem  How do we look at different datasets from different data sources and correlate the information?

1 st Problem The Data

FW Logs

Snort Logs

TCPDump

2 nd Problem Data Sources

Different Data Sources DMZ TCPDump DMZ Firewalls Internal IDS DMZ Syslog Internal Syslog External IDS

Solution  Centralizing Honeynet Data  Enterprise Security Console to view data

Data Centralization Centralized Database IDS Logs Firewall Logs System Logs TCPDump Logs

What Next?

Enterprise Security Console  Advantages  Easy to View Data  Very flexible and powerful GUI  Strong Data Correlation Capabilities  Built with Honeynets in mind  Disadvantages  Windows 2000/XP Only

Enterprise Security Console  Console to view Databases  Fully Database Driven  Supports multiple ESC Databases  Supports multiple Data Databases

Types of Data  Firewall Logs  Snort IDS Logs  TCPDump Logs  Syslog  Prelude (Hybrid IDS)  Others…

Easy to View Data

Data Search Correlation  Correlate between any the following data types:

Data Correlation (Cont)  View Firewall Logs  Advantages  Easy  Fast  Have some interesting information  Disadvantages  Limited information

Data Correlation (Cont)  View IDS Logs  Advantages  More interesting events  Alert on attacks  Disadvantages  Does not pick up all attacks  Only see a single packet

Data Correlation (Cont)  TCPDump Logs  Advantages  All packets  Disadvantages  Lots of data

Data Decode  Full Packet Decode

IRC Decode  Full IRC PrivMsg Decode

Packet Analysis

Flexible/Powerful GUI  Actions speak louder then words:

Future  Increase functionality  Reporting  Passive Application Fingerprinting  Increase Search Capabilities  Extend Data Correlation Capabilities

Summary  Enterprise Security Console open up Security Analysis and makes our jobs easier  Uses existing databases

Questions?

More information:  Web: 

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.