Presentation is loading. Please wait.

Presentation is loading. Please wait.

Honeynet/Honeypot Project - Leslie Cherian - Todd Deshane - Patty Jablonski - Creighton Long May 2, 2006.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Honeynet/Honeypot Project - Leslie Cherian - Todd Deshane - Patty Jablonski - Creighton Long May 2, 2006."— Presentation transcript:

1 Honeynet/Honeypot Project - Leslie Cherian - Todd Deshane - Patty Jablonski - Creighton Long May 2, 2006

2 Overview Honeynet/Honeypot Background Setting Up Our Own Honeypot VM –VMware –Snort –Tripwire –Filemon, Regmon –Ethereal Demo – Port Scan, Install Spyware

3 Honeypots From the Honeynet Project: –“A honeypot is an information system resource whose value lies in unauthorized or illicit use of that resource –Has no production value, anything going to or from a honeypot is likely a probe, attack or compromise –Primary value to most organizations is information”

4 Honeynets From the Honeynet Project: –“High-interaction honeypot designed to capture in-depth information –Information has different value to different organizations –It’s an architecture you populate with live systems, not a product or software –Any traffic entering or leaving is suspect”

5 The Honeynet Project http://www.honeynet.org/ Non-profit volunteer research organization dedicated to improving the security of the Internet at no cost to the public Its mission is to learn the tools, tactics and motives involved in computer and network attacks, and share the lessons learned

6 The Honeynet Project Organizations that are actively involved in honeypot research can join The Honeynet Project’s Research Alliance Members of The Honeynet Project and the Research Alliance provide open source honeypot-related tools for download –Honeywall CD Consider joining The Honeynet Project

7 Honeynet Project Architecture

8 Honeynet/Honeypot Project http://www.clarkson.edu/projects/itl/projects/honey/ The goal for this project is to set up a honeypot virtual machine to research and analyze various attacks We hope to have a well-documented and easy-to-use "malware analyzer" that reports on the degree of malicious intent of a given piece of software

9 Honeynet/Honeypot Project This project was done in association with the Clarkson Internet Teaching Laboratory and as part of the Network Security class Setting Up Our Own Honeypot VM –VMware –Snort –Tripwire –Filemon, Regmon –Ethereal

10 Our Honeypot VM Architecture

11 VMware Virtual machine monitor (VMM) –Full virtualization Unmodified base operating system Allows for Windows guest Supports virtual networks –Bridged network –NAT (routed) network –Private network: host only, virtually switched

12 Snort Network Intrusion Detection System (NIDS) Allows for monitoring of: –Local machine –Machines on your local network Basic usage –snort -i -c Log file –/var/log/snort/alert

13 Snort Rules Official Snort Rules Bleeding-Edge Snort Rules Write Your Own Rules Rules Management

14 Official Snort Rules Subscription-based –Current rules, highest quality: too expensive Registration-based –5-day-old subscription ruleset: recommended Unregistered –Only updated with each major release of Snort: stale Community –Submitted by members of the community and minimally tested

15 Bleeding-Edge Snort Rules Volunteer run Free Snort signature development –Released quickly Organized into rulesets Bleeding Snort Ruleset Manager Works with Oinkmaster

16 Write Your Own Snort Rules Rule Header –Contains the action to perform, the protocol that the rule applies to, and the source and destination addresses and ports Options –Descriptive message, check other packet attributes using Snort's plug-ins, etc General Form –action proto src_ip src_port direction dst_ip dst_port (options) Example –alert tcp 192.168.1.2 any -> any any (msg:"Outbound traffic from 192.168.1.2";) –Alerts on any traffic coming from 192.168.1.2

17 Snort Rules Management Many available for Windows and Linux Oinkmaster –Keeps snort rules current –Perl script, cron job to update your rulesets whenever your ruleset repository (official, bleeding, etc) is updated –Update current ruleset with your modifications from previous rulesets Bleeding Snort Ruleset Manager Snort Policy Manager

18 Tripwire Monitors critical system files actively Provides immediate notification of changes that occur passively Allows for event log correlation Flexible policy file language Integrate with third party EMS systems like Remedy AR system, IBM Tivoli, etc

19 Tripwire

20 Tripwire Commands Create a new policy file –twadmin --create-polfile Initialize the database file –tripwire --init Run an integrity check of the system –tripwire --check --report-file Print the report file to a readable format –twprint --print-report --report-file -F -o >

21 Filemon Monitors real time access to file on a Windows computer Commercial version also available from sysinternals Weaknesses –Requires user interaction

22 Regmon Monitors real time access to the Windows registry Free version doesn’t allow: –Capturing log file in real time –Monitoring of remote computers Commercial version available from sysinternals

23 Regmon Weaknesses –Requires user interaction and knowledge to be useful –Output is noisy and confusing –Not a good way to log changes –Checkpointing registry is not available

24 Ethereal Network Protocol Analyzer Why we used it –Passively monitors network traffic How we used it –On the base to monitor all traffic Tethereal –Command line version of Ethereal

25 Future Work Try alternative architectures Try other IDSes and tools More attacks/malware for testing Integrated GUI User-level documentation Break into two software packages –Honeypot and malware analyzer

26 Demo

27 Questions/Comments

Download ppt "Honeynet/Honeypot Project - Leslie Cherian - Todd Deshane - Patty Jablonski - Creighton Long May 2, 2006."

Similar presentations

Presented by Nikita Shah 5th IT ( )

Presented by Nikita Shah 5th IT ( )
Honeynet Introduction Tang Chin Hooi APAN Secretariat.

Honeynet Introduction Tang Chin Hooi APAN Secretariat.
Intrusion Detection System(IDS) Overview Manglers Gopal Paliwal Gopal Paliwal Roshni Zawar Roshni Zawar SenthilRaja Velu SenthilRaja Velu Sreevathsa Sathyanarayana.

Intrusion Detection System(IDS) Overview Manglers Gopal Paliwal Gopal Paliwal Roshni Zawar Roshni Zawar SenthilRaja Velu SenthilRaja Velu Sreevathsa Sathyanarayana.
Snort & ACID. UTSA IS 6973 Computer Forensics SNORT.

Snort & ACID. UTSA IS 6973 Computer Forensics SNORT.
1 Chapter 7 Intrusion Detection. 2 Objectives In this chapter, you will: Understand intrusion detection benefits and problems Learn about network intrusion.

1 Chapter 7 Intrusion Detection. 2 Objectives In this chapter, you will: Understand intrusion detection benefits and problems Learn about network intrusion.
Guide to Computer Forensics and Investigations1 Network Forensics Overview Network forensics –Systematic tracking of incoming and outgoing traffic To ascertain.

Guide to Computer Forensics and Investigations1 Network Forensics Overview Network forensics –Systematic tracking of incoming and outgoing traffic To ascertain.
Honeypot 서울과학기술대학교 Jeilyn Molina 121336101. Honeypot is the software or set of computers that are intended to attract attackers, pretending to be weak.

Honeypot 서울과학기술대학교 Jeilyn Molina Honeypot is the software or set of computers that are intended to attract attackers, pretending to be weak.
Honey Pots: Natures Dessert or Cyber Defense Tool? Eric Richardson.

Honey Pots: Natures Dessert or Cyber Defense Tool? Eric Richardson.
Honeypots and Honeynets Source: The HoneyNet Project Book: Know Your Enemy (2 nd ed) Presented by: Mohammad.

Honeypots and Honeynets Source: The HoneyNet Project Book: Know Your Enemy (2 nd ed) Presented by: Mohammad.
Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.

Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.
1.  To analyze and explain the IDS placement in network topology  To explain the relationship between honey pots and IDS  To explain, analyze and evaluate.

1.  To analyze and explain the IDS placement in network topology  To explain the relationship between honey pots and IDS  To explain, analyze and evaluate.
NETWORK SECURITY INTRUSION DETECTION SYSTEMS (IDS) KANDIAH.M Clarkson University, Potsdam, New York.

NETWORK SECURITY INTRUSION DETECTION SYSTEMS (IDS) KANDIAH.M Clarkson University, Potsdam, New York.
Snort - an network intrusion prevention and detection system Student: Yue Jiang Professor: Dr. Bojan Cukic CS665 class presentation.

Snort - an network intrusion prevention and detection system Student: Yue Jiang Professor: Dr. Bojan Cukic CS665 class presentation.
5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.

5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.
2004, Jei Tripwire An Intrusion Detection Tool Information Networking Security and Assurance Lab National Chung Cheng University.

2004, Jei Tripwire An Intrusion Detection Tool Information Networking Security and Assurance Lab National Chung Cheng University.
Intrusion Detection using Honeypots Patrick Brannan Honeyd with virtual machines.

Intrusion Detection using Honeypots Patrick Brannan Honeyd with virtual machines.
Guide to Computer Forensics and Investigations Third Edition Chapter 11 Network Forensics.

Guide to Computer Forensics and Investigations Third Edition Chapter 11 Network Forensics.
Presented by C.SARITHA ( 07R91A0568) INTRUSION DETECTION SYSYTEM.

Presented by C.SARITHA ( 07R91A0568) INTRUSION DETECTION SYSYTEM.
Lecture 11 Intrusion Detection (cont)

Lecture 11 Intrusion Detection (cont)
INTRUSION DETECTION SYSTEM

INTRUSION DETECTION SYSTEM

Similar presentations

Ads by Google