290 likes | 514 Views
Honeynet/Honeypot Project. Leslie Cherian Todd Deshane Patty Jablonski Creighton Long. May 2, 2006. Overview. Honeynet/Honeypot Background Setting Up Our Own Honeypot VM VMware Snort Tripwire Filemon, Regmon Ethereal Demo – Port Scan, Install Spyware. Honeypots.
E N D
Honeynet/Honeypot Project Leslie Cherian Todd Deshane Patty Jablonski Creighton Long May 2, 2006
Overview • Honeynet/Honeypot Background • Setting Up Our Own Honeypot VM • VMware • Snort • Tripwire • Filemon, Regmon • Ethereal • Demo – Port Scan, Install Spyware
Honeypots • From the Honeynet Project: • “A honeypot is an information system resource whose value lies in unauthorized or illicit use of that resource • Has no production value, anything going to or from a honeypot is likely a probe, attack or compromise • Primary value to most organizations is information”
Honeynets • From the Honeynet Project: • “High-interaction honeypot designed to capture in-depth information • Information has different value to different organizations • It’s an architecture you populate with live systems, not a product or software • Any traffic entering or leaving is suspect”
The Honeynet Project http://www.honeynet.org/ • Non-profit volunteer research organization dedicated to improving the security of the Internet at no cost to the public • Its mission is to learn the tools, tactics and motives involved in computer and network attacks, and share the lessons learned
The Honeynet Project • Organizations that are actively involved in honeypot research can join The Honeynet Project’s Research Alliance • Members of The Honeynet Project and the Research Alliance provide open source honeypot-related tools for download • Honeywall CD • Consider joining The Honeynet Project
Honeynet/Honeypot Project http://www.clarkson.edu/projects/itl/projects/honey/ • The goal for this project is to set up a honeypot virtual machine to research and analyze various attacks • We hope to have a well-documented and easy-to-use "malware analyzer" that reports on the degree of malicious intent of a given piece of software
Honeynet/Honeypot Project • This project was done in association with the Clarkson Internet Teaching Laboratory and as part of the Network Security class • Setting Up Our Own Honeypot VM • VMware • Snort • Tripwire • Filemon, Regmon • Ethereal
VMware • Virtual machine monitor (VMM) • Full virtualization • Unmodified base operating system • Allows for Windows guest • Supports virtual networks • Bridged network • NAT (routed) network • Private network: host only, virtually switched
Snort • Network Intrusion Detection System (NIDS) • Allows for monitoring of: • Local machine • Machines on your local network • Basic usage • snort -i <interface> -c <config file> • Log file • /var/log/snort/alert
Snort Rules • Official Snort Rules • Bleeding-Edge Snort Rules • Write Your Own Rules • Rules Management
Official Snort Rules • Subscription-based • Current rules, highest quality: too expensive • Registration-based • 5-day-old subscription ruleset: recommended • Unregistered • Only updated with each major release of Snort: stale • Community • Submitted by members of the community and minimally tested
Bleeding-Edge Snort Rules • Volunteer run • Free Snort signature development • Released quickly • Organized into rulesets • Bleeding Snort Ruleset Manager • Works with Oinkmaster
Write Your Own Snort Rules • Rule Header • Contains the action to perform, the protocol that the rule applies to, and the source and destination addresses and ports • Options • Descriptive message, check other packet attributes using Snort's plug-ins, etc • General Form • action proto src_ip src_port direction dst_ip dst_port (options) • Example • alert tcp 192.168.1.2 any -> any any (msg:"Outbound traffic from 192.168.1.2";) • Alerts on any traffic coming from 192.168.1.2
Snort Rules Management • Many available for Windows and Linux • Oinkmaster • Keeps snort rules current • Perl script, cron job to update your rulesets whenever your ruleset repository (official, bleeding, etc) is updated • Update current ruleset with your modifications from previous rulesets • Bleeding Snort Ruleset Manager • Snort Policy Manager
Tripwire • Monitors critical system files actively • Provides immediate notification of changes that occur passively • Allows for event log correlation • Flexible policy file language • Integrate with third party EMS systems like Remedy AR system, IBM Tivoli, etc
Tripwire Commands • Create a new policy file • twadmin --create-polfile <policyfile.txt> • Initialize the database file • tripwire --init • Run an integrity check of the system • tripwire --check --report-file <reportfile.twr> • Print the report file to a readable format • twprint --print-report --report-file <reportfile.twr> -F <format> -o <reportfile.<format>>
Filemon • Monitors real time access to file on a Windows computer • Commercial version also available from sysinternals • Weaknesses • Requires user interaction
Regmon • Monitors real time access to the Windows registry • Free version doesn’t allow: • Capturing log file in real time • Monitoring of remote computers • Commercial version available from sysinternals
Regmon • Weaknesses • Requires user interaction and knowledge to be useful • Output is noisy and confusing • Not a good way to log changes • Checkpointing registry is not available
Ethereal • Network Protocol Analyzer • Why we used it • Passively monitors network traffic • How we used it • On the base to monitor all traffic • Tethereal • Command line version of Ethereal
Future Work • Try alternative architectures • Try other IDSes and tools • More attacks/malware for testing • Integrated GUI • User-level documentation • Break into two software packages • Honeypot and malware analyzer