Honeycomb and the current state of Honeypot Technology Christian Kreibich

Coming up...  Introduction to Honeypots  Current state of the art: Honeynets  Honeycomb - automated NIDS signature creation  Three days in the life of an unprotected cable modem connection

So what’s a Honeypot?  “A Honeypot is a computer resource set up for the purpose of monitoring and logging the activities of entities that probe, attack or compromise it.” (My attempt on )  No production value, should see no traffic.  Interaction with these systems likely malicious.  Flexible concept, not a fixed tool.  Not new: Coockoo’s Egg, Evening with Berferd

Types of Honeypots  Low interaction:  Trap files, database entries etc (“Honeytokens”)  Emulated services and operating systems  Easier to deploy, limited capabilities.  High interaction:  Runs real systems  Need to limit harm that can be done  More to learn, more complexity, more risk!

Low interaction: fake services  From a fake FTP server shell script: case $command in QUIT* ) echo -e "221 Goodbye.\r" exit 0;; SYST* ) echo -e "215 UNIX Type: L8\r" ;; HELP* ) echo -e "214-The following commands are recognized (* =>'s unimplemented).\r" echo -e " USER PORT STOR MSAM* RNTO NLST MKD CDUP\r" echo -e " PASS PASV APPE MRSQ* ABOR SITE XMKD XCUP\r" echo -e " ACCT* TYPE MLFL* MRCP* DELE SYST RMD STOU\r" echo -e " SMNT* STRU MAIL* ALLO CWD STAT XRMD SIZE\r" echo -e " REIN* MODE MSND* REST XCWD HELP PWD MDTM\r" echo -e " QUIT RETR MSOM* RNFR LIST NOOP XPWD\r" echo -e "214 Direct comments to ;;

High interaction: Honeynets Production Network Honeypots Internet  Gen II Honeynet

High interaction: Honeynets Production Network Honeypots Internet  Gen II Honeynet  Honeywall  Layer 2 bridge  IDS Gateway  iptables  snort_inline  Control & Report interface

snort_inline  drop tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS EXPLOIT named";flags: A+; content:"|CD80 E8D7 FFFFFF|/bin/sh";  alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS EXPLOIT named";flags: A+; content:"|CD80 E8D7 FFFFFF|/bin/sh"; replace:"|0000 E8D7 FFFFFF|/ben/sh";)

High interaction: Honeynets  Gen II Honeynet Production Network Honeypots Internet  Sebek2  Surveillance “rootkit”  Kernel module  Captures all activity on pots  Sends details to Honeywall  Prevents sniffing of its traffic  Sebeksniff

Honey Inspector

Honeycomb  Goal: automated generation of NIDS signatures  Name? Nice double meaning...

Honeycomb  Goal: automated generation of NIDS signatures  Name? Nice double meaning...  Combing for patterns in Honeypot traffic

Honeycomb’s Architecture

Honeycomb’s Algorithm

Pattern Detection (I)  Stream reassembly:

Pattern Detection (II)  Longest-common-substring (LCS) on pairs of messages: fetaramasalatapatata insalataramoussaka  Can be done in O(|m 1 | + |m 2 |) using suffix trees  Implemented libstree, generic suffix tree library  No hardcoding of protocol-specific knowledge

Pattern Detection (II)  Longest-common-substring (LCS) on pairs of messages: fetaramasalatapatata insalataramoussaka  Can be done in O(|m 1 | + |m 2 |) using suffix trees  Implemented libstree, generic suffix tree library  No hardcoding of protocol-specific knowledge

Pattern Detection (III)  Horizontal detection:  LCS on pairs of messages  each message independent  e.g. (persistent) HTTP

Pattern Detection (IV)  Vertical detection:  concatenates incoming messages  LCS on pairs of strings  for interactive flows and to mask TCP dynamics  e.g. FTP, Telnet,...

Signature Pool  Limited-size queue of current signatures  Relational operators on signatures:  sig 1 = sig 2 : all elements equal  sig 1  sig 2 : sig 1 contains subset of sig 2 ’s facts  sig new = sig pool : sig new ignored  sig new  sig pool : sig new added  sig pool  sig new : sig new augments sig pool  Signature correlation on destination ports  Avoids duplicates for trivial flows (portscan!)

Results  We ran Honeycomb on an unfiltered cable modem connection  Honeyd setup: fake FTP, Telnet, SMTP, Apache services, all Perl/Shell scripts.  Three day period  Some statistics:  649 TCP connections, 123 UDP connections  143 Pings, almost exclusively UDP port 137 (NetBIOS)  Full traffic volume: ~1MB  No wide-range portscanning

TCP Connections HTTP Kuang2 Virus/Trojan NetBIOS - W32/Deluder Worm NetBIOS - open shares Microsoft SQL Server

UDP Connections NetBIOS Nameservice Messenger Service Slammer

Signatures created: Slammer  1434/UDP worm, Microsoft SQL Server buffer overflow  Honeyd log:  :26: udp(17) S :27: udp(17) E : :58: udp(17) S :59: udp(17) E : :15: udp(17) S :16: udp(17) E :  Signature:  alert udp any any -> / (msg: "Honeycomb Thu May 8 09h58m "; content: "| DC C9 B0|B|EB 0E |p|AE|B|01|p|AE|B| |h|DC C9 B0|B|B |1|C9 B1 18|P|E2 FD|5| |P|89E5|Qh.dllhel32hkernQhounthickChGetTf|B9|llQh32.dhws2 f|B9|etQhsockf|B9|toQhsend|BE AE|B|8D|E|D4|P|FF 16|P|8D|E|E0|P|8D|E|F0|P|FF 16|P|BE AE|B|8B 1E 8B 03|=U|8B EC|Qt|05 BE 1C 10 AE|B|FF 16 FF D0|1|C9|QQP|81 F B 81 F |Q|8D|E|CC|P|8B|E|C0|P|FF 16|j|11|j|02|j|02 FF D0|P|8D|E|C4|P|8B|E|C0|P|FF C6 09 DB 81 F3|<a|D9 FF 8B|E|B4 8D C1 E C2 C1 E2 08|)|C2 8D D8 89|E|B4|j|10 8D|E|B0|P1|C9|Qf|81 F1|x|01|Q|8D|E|03|P|8B|E|AC|P|FF D6 EB|"; )  Full worm detected

Signatures created: CodeRedII  80/TCP worm, Microsoft IIS Buffer Overflow  Hit more than a dozen times  alert tcp /8 any -> /32 80 (msg: "Honeycomb Tue May 6 11h55m "; flags: A; flow: established; content: "GET /default.ida?XXXXXXXXXXXXXXXXXXXXX  XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u90 90%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00= a HTTP/1.0|0D 0A|Content-type: text/xml|0A|Content-length: 3379 |0D 0A 0D 0A C8 C |`|E CC EB FE|dg|FF|6|00 00|dg|89|&|00 00 E8 DF |h| D 85|\|FE FF FF|P|FF|U|9C 8D 85|\|FE FF FF|P|FF|U|98 8B D|X|FE FF FF FF|U|E4|=| F 94 C1|=| F 94 C5 0A CD 0F B6 C9 89 8D|T|FE FF FF 8B|u|08 81|~0|9A F 84 C C7|F0|9A E8 0A |CodeRedII|00 8B 1C|$|FF|U|D8|f|0B C0 0F 95 85|8|FE FF FF C7 85|P|FE FF FF |j|00 8D 85|P|FE FF FF|P|8D 85|8|FE FF FF|P|8B|E|08 FF|p|08 FF BD|8|FE FF FF 01|thS|FF|U|D4 FF|U|EC 01|E|84|i|BD|T|FE FF FF|,| C7|,| E8 D F7 D0 0F AF C7 89|F4|8D|E|88|Pj|00 FF|u|08 E E9 01 FF FF FF|j|00|j|00 FF|U|F0|P|FF|U|D0|Ou|D2 E8|;| |i|BD|T|FE FF FF 00|\&|05 81 C7 00|\&|05|W|FF|U|E8|j|00|j|16 FF|U|8C|j|FF FF|U|E8 EB F9 8B|F4)E|84|jd|FF|U|E8 8D 85| |FE FF FF 83 F8 0A|s|C3|f|C7 85|p|FF FF FF 02 00|f|C7 85|r|FF FF …  Full worm, due to vertical detection – server replies before all packets seen!

Signatures detected: others …  alert tcp /32 any -> / ,3128,4588,6588,8080 (msg: "Honeycomb Mon May 5 19h04m "; flags: S; flow: stateless; )  Lookup: in-addr-arpa domain name pointer for.information.see.proxyprotector.com

Signatures detected: others …  alert tcp /32 any -> / ,3128,4588,6588,8080 (msg: "Honeycomb Mon May 5 19h04m "; flags: S; flow: stateless; )  Lookup: in-addr-arpa domain naime pointer for.information.see.proxyprotector.com  alert udp /32 any -> / (msg: "Honeycomb Thu May 8 12h57m "; content: "| |YOUR EXTRA PAYCHEQUE|00 E1 04|x|0C C | |00|#| |#| | Amazing Internet Product Sells Itself!|0D 0A|Resellers Wanted! GO TO )

Signatures detected: others …  alert tcp /32 any -> / ,3128,4588,6588,8080 (msg: "Honeycomb Mon May 5 19h04m "; flags: S; flow: stateless; )  Lookup: in-addr-arpa domain naime pointer for.information.see.proxyprotector.com  alert udp /32 any -> / (msg: "Honeycomb Thu May 8 12h57m "; content: "| |YOUR EXTRA PAYCHEQUE|00 E1 04|x|0C C | |00|#| |#| | Amazing Internet Product Sells Itself!|0D 0A|Resellers Wanted! GO TO )  135/UDP lets you pop up spam^H^H^H^H Internet Advertisements on other Windows machines via Messenger Service

Signatures detected: others …  alert tcp /32 any -> / ,3128,4588,6588,8080 (msg: "Honeycomb Mon May 5 19h04m "; flags: S; flow: stateless; )  Lookup: in-addr-arpa domain naime pointer for.information.see.proxyprotector.com  alert udp /32 any -> / (msg: "Honeycomb Thu May 8 12h57m "; content: "| |YOUR EXTRA PAYCHEQUE|00 E1 04|x|0C C | |00|#| |#| | Amazing Internet Product Sells Itself!|0D 0A|Resellers Wanted! GO TO )  135/UDP lets you pop up spam^H^H^H^H Internet Advertisements on other Windows machines via Messenger Service  alert tcp /32 any -> /32 80 (msg: "Honeycomb Thu May 8 07h27m "; flags: PA; flow: established; content: "GET /scripts/root.exe?/c+dir HTTP/1.0|0D 0A|Host: www|0D 0A|Connnection: close|0D 0A 0D|"; )

Summary  System detects patterns in network traffic  Good at worm detection – if not polymorphic!  Approach still simplistic – approximate matching?  TODO list  Reasonable setup  Performance evaluation  Better signature reporting scheme  Log processing suite  Closer integration with honeyd

Thanks!  Shoutouts: a13x hØ && 1ance  No machines were harmed or compromised in the making of this presentation.   Questions?