1 / 39

Honey Inspector - Enterprise Security Console Advancements

Honey Inspector is a set of Perl CGI scripts for analyzing firewall/IDS logs and storing data in a MySQL database. It provides a high-level view of connections, alerting methods, packet counts, and more. The future plans include Perl module integration, interface enhancements, graphing, and customizable reporting engine. Enterprise Security Console enhances security analysis by centralizing and correlating data from different sources like FW logs, Snort logs, TCPDump, and more, with advantages and limitations. For more info, visit http://www.activeworx.com or email jdell@activeworx.com.

anila
Download Presentation

Honey Inspector - Enterprise Security Console Advancements

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Honey Inspector Mike Clark Honeynet Project

  2. Honeynet Inspector • Background

  3. What is it? • Set of Perl CGI Scripts • Firewall/IDS Logs • MySQL IDS

  4. How it Works • Fisq script imports firewall logs • IDS(Snort) logs to the DB • IDS(Snort) also records traffic in pcap format • Inspector drills down using all of these

  5. Inspector High Level • Shows connections and drill down options • 4 methods of alerting • Packet Count • Connection size (byte) • IDS(Snort) alerts • Inbound/Outbound

  6. Drilling Down • Connection View • Arin/whois/dig lookup • Snort alerts • p0f • Plugins

  7. Plugins • Honey Extractor • IRC View

  8. Advantages • Quick • Easily extendable • High chance of detecting activity • Web based

  9. Disadvantages • Not scalable • Not very nice looking

  10. Future • Perl module • Nicer interface • Graphing • Customizable Report Engine

  11. Questions?

  12. Enterprise Security Console Jeff Dell Activeworx, Inc.

  13. Speaker • Jeff Dell, Florida Honeynet Project • Florida Honeynet: Responsible Network Forensics • Honeynet Alliance: Central Database

  14. Problem • How do we look at different datasets from different data sources and correlate the information?

  15. 1st Problem The Data

  16. FW Logs

  17. Snort Logs

  18. TCPDump

  19. 2nd Problem Data Sources

  20. Different Data Sources DMZ Syslog DMZ Firewalls DMZ TCPDump External IDS Internal IDS Internal Syslog

  21. Solution • Centralizing Honeynet Data • Enterprise Security Console to view data

  22. Data Centralization IDS Logs Firewall Logs TCPDump Logs System Logs Centralized Database

  23. What Next?

  24. Enterprise Security Console • Advantages • Easy to View Data • Very flexible and powerful GUI • Strong Data Correlation Capabilities • Built with Honeynets in mind • Disadvantages • Windows 2000/XP Only

  25. Enterprise Security Console • Console to view Databases • Fully Database Driven • Supports multiple ESC Databases • Supports multiple Data Databases

  26. Types of Data • Firewall Logs • Snort IDS Logs • TCPDump Logs • Syslog • Prelude (Hybrid IDS) • Others…

  27. Easy to View Data

  28. Data Search Correlation • Correlate between any the following data types:

  29. Data Correlation (Cont) • View Firewall Logs • Advantages • Easy • Fast • Have some interesting information • Disadvantages • Limited information

  30. Data Correlation (Cont) • View IDS Logs • Advantages • More interesting events • Alert on attacks • Disadvantages • Does not pick up all attacks • Only see a single packet

  31. Data Correlation (Cont) • TCPDump Logs • Advantages • All packets • Disadvantages • Lots of data

  32. Data Decode • Full Packet Decode

  33. IRC Decode • Full IRC PrivMsg Decode

  34. Packet Analysis

  35. Flexible/Powerful GUI • Actions speak louder then words:

  36. Future • Increase functionality • Reporting • Passive Application Fingerprinting • Increase Search Capabilities • Extend Data Correlation Capabilities

  37. Summary • Enterprise Security Console open up Security Analysis and makes our jobs easier • Uses existing databases

  38. Questions?

  39. More information: • Web: http://www.activeworx.com • Email: jdell@activeworx.com

More Related