1 / 39

Honey Inspector

Honey Inspector. Mike Clark Honeynet Project. Honeynet Inspector. Background. What is it?. Set of Perl CGI Scripts Firewall/IDS Logs MySQL IDS. How it Works. Fisq script imports firewall logs IDS(Snort) logs to the DB IDS(Snort) also records traffic in pcap format

anila
Download Presentation

Honey Inspector

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Honey Inspector Mike Clark Honeynet Project

  2. Honeynet Inspector • Background

  3. What is it? • Set of Perl CGI Scripts • Firewall/IDS Logs • MySQL IDS

  4. How it Works • Fisq script imports firewall logs • IDS(Snort) logs to the DB • IDS(Snort) also records traffic in pcap format • Inspector drills down using all of these

  5. Inspector High Level • Shows connections and drill down options • 4 methods of alerting • Packet Count • Connection size (byte) • IDS(Snort) alerts • Inbound/Outbound

  6. Drilling Down • Connection View • Arin/whois/dig lookup • Snort alerts • p0f • Plugins

  7. Plugins • Honey Extractor • IRC View

  8. Advantages • Quick • Easily extendable • High chance of detecting activity • Web based

  9. Disadvantages • Not scalable • Not very nice looking

  10. Future • Perl module • Nicer interface • Graphing • Customizable Report Engine

  11. Questions?

  12. Enterprise Security Console Jeff Dell Activeworx, Inc.

  13. Speaker • Jeff Dell, Florida Honeynet Project • Florida Honeynet: Responsible Network Forensics • Honeynet Alliance: Central Database

  14. Problem • How do we look at different datasets from different data sources and correlate the information?

  15. 1st Problem The Data

  16. FW Logs

  17. Snort Logs

  18. TCPDump

  19. 2nd Problem Data Sources

  20. Different Data Sources DMZ Syslog DMZ Firewalls DMZ TCPDump External IDS Internal IDS Internal Syslog

  21. Solution • Centralizing Honeynet Data • Enterprise Security Console to view data

  22. Data Centralization IDS Logs Firewall Logs TCPDump Logs System Logs Centralized Database

  23. What Next?

  24. Enterprise Security Console • Advantages • Easy to View Data • Very flexible and powerful GUI • Strong Data Correlation Capabilities • Built with Honeynets in mind • Disadvantages • Windows 2000/XP Only

  25. Enterprise Security Console • Console to view Databases • Fully Database Driven • Supports multiple ESC Databases • Supports multiple Data Databases

  26. Types of Data • Firewall Logs • Snort IDS Logs • TCPDump Logs • Syslog • Prelude (Hybrid IDS) • Others…

  27. Easy to View Data

  28. Data Search Correlation • Correlate between any the following data types:

  29. Data Correlation (Cont) • View Firewall Logs • Advantages • Easy • Fast • Have some interesting information • Disadvantages • Limited information

  30. Data Correlation (Cont) • View IDS Logs • Advantages • More interesting events • Alert on attacks • Disadvantages • Does not pick up all attacks • Only see a single packet

  31. Data Correlation (Cont) • TCPDump Logs • Advantages • All packets • Disadvantages • Lots of data

  32. Data Decode • Full Packet Decode

  33. IRC Decode • Full IRC PrivMsg Decode

  34. Packet Analysis

  35. Flexible/Powerful GUI • Actions speak louder then words:

  36. Future • Increase functionality • Reporting • Passive Application Fingerprinting • Increase Search Capabilities • Extend Data Correlation Capabilities

  37. Summary • Enterprise Security Console open up Security Analysis and makes our jobs easier • Uses existing databases

  38. Questions?

  39. More information: • Web: http://www.activeworx.com • Email: jdell@activeworx.com

More Related