Download presentation
Presentation is loading. Please wait.
1
Honeynet/Honeypot Project - Leslie Cherian - Todd Deshane - Patty Jablonski - Creighton Long May 2, 2006
2
Overview Honeynet/Honeypot Background Setting Up Our Own Honeypot VM –VMware –Snort –Tripwire –Filemon, Regmon –Ethereal Demo – Port Scan, Install Spyware
3
Honeypots From the Honeynet Project: –“A honeypot is an information system resource whose value lies in unauthorized or illicit use of that resource –Has no production value, anything going to or from a honeypot is likely a probe, attack or compromise –Primary value to most organizations is information”
4
Honeynets From the Honeynet Project: –“High-interaction honeypot designed to capture in-depth information –Information has different value to different organizations –It’s an architecture you populate with live systems, not a product or software –Any traffic entering or leaving is suspect”
5
The Honeynet Project http://www.honeynet.org/ Non-profit volunteer research organization dedicated to improving the security of the Internet at no cost to the public Its mission is to learn the tools, tactics and motives involved in computer and network attacks, and share the lessons learned
6
The Honeynet Project Organizations that are actively involved in honeypot research can join The Honeynet Project’s Research Alliance Members of The Honeynet Project and the Research Alliance provide open source honeypot-related tools for download –Honeywall CD Consider joining The Honeynet Project
7
Honeynet Project Architecture
8
Honeynet/Honeypot Project http://www.clarkson.edu/projects/itl/projects/honey/ The goal for this project is to set up a honeypot virtual machine to research and analyze various attacks We hope to have a well-documented and easy-to-use "malware analyzer" that reports on the degree of malicious intent of a given piece of software
9
Honeynet/Honeypot Project This project was done in association with the Clarkson Internet Teaching Laboratory and as part of the Network Security class Setting Up Our Own Honeypot VM –VMware –Snort –Tripwire –Filemon, Regmon –Ethereal
10
Our Honeypot VM Architecture
11
VMware Virtual machine monitor (VMM) –Full virtualization Unmodified base operating system Allows for Windows guest Supports virtual networks –Bridged network –NAT (routed) network –Private network: host only, virtually switched
12
Snort Network Intrusion Detection System (NIDS) Allows for monitoring of: –Local machine –Machines on your local network Basic usage –snort -i -c Log file –/var/log/snort/alert
13
Snort Rules Official Snort Rules Bleeding-Edge Snort Rules Write Your Own Rules Rules Management
14
Official Snort Rules Subscription-based –Current rules, highest quality: too expensive Registration-based –5-day-old subscription ruleset: recommended Unregistered –Only updated with each major release of Snort: stale Community –Submitted by members of the community and minimally tested
15
Bleeding-Edge Snort Rules Volunteer run Free Snort signature development –Released quickly Organized into rulesets Bleeding Snort Ruleset Manager Works with Oinkmaster
16
Write Your Own Snort Rules Rule Header –Contains the action to perform, the protocol that the rule applies to, and the source and destination addresses and ports Options –Descriptive message, check other packet attributes using Snort's plug-ins, etc General Form –action proto src_ip src_port direction dst_ip dst_port (options) Example –alert tcp 192.168.1.2 any -> any any (msg:"Outbound traffic from 192.168.1.2";) –Alerts on any traffic coming from 192.168.1.2
17
Snort Rules Management Many available for Windows and Linux Oinkmaster –Keeps snort rules current –Perl script, cron job to update your rulesets whenever your ruleset repository (official, bleeding, etc) is updated –Update current ruleset with your modifications from previous rulesets Bleeding Snort Ruleset Manager Snort Policy Manager
18
Tripwire Monitors critical system files actively Provides immediate notification of changes that occur passively Allows for event log correlation Flexible policy file language Integrate with third party EMS systems like Remedy AR system, IBM Tivoli, etc
19
Tripwire
20
Tripwire Commands Create a new policy file –twadmin --create-polfile Initialize the database file –tripwire --init Run an integrity check of the system –tripwire --check --report-file Print the report file to a readable format –twprint --print-report --report-file -F -o >
21
Filemon Monitors real time access to file on a Windows computer Commercial version also available from sysinternals Weaknesses –Requires user interaction
22
Regmon Monitors real time access to the Windows registry Free version doesn’t allow: –Capturing log file in real time –Monitoring of remote computers Commercial version available from sysinternals
23
Regmon Weaknesses –Requires user interaction and knowledge to be useful –Output is noisy and confusing –Not a good way to log changes –Checkpointing registry is not available
24
Ethereal Network Protocol Analyzer Why we used it –Passively monitors network traffic How we used it –On the base to monitor all traffic Tethereal –Command line version of Ethereal
25
Future Work Try alternative architectures Try other IDSes and tools More attacks/malware for testing Integrated GUI User-level documentation Break into two software packages –Honeypot and malware analyzer
26
Demo
27
Questions/Comments
Similar presentations
© 2025 SlidePlayer.com. Inc.
All rights reserved.