39
Intrusion Detection Systems Matthijs Koot ([email protected]) Definitions, purpose Past and present How honeypots work HoneyD Honeynet, HoneyWall MWCollect: Nepenthes, HoneyTrap and HoneyBow Limitations and future Limitations Honeynet Research Alliance Future topics Summary Intrusion Detection Systems Lesson #4: Honey{pots,nets,walls} Matthijs Koot ([email protected]) Faculteit van Natuurwetenschappen, Wiskunde en Informatica Universiteit van Amsterdam 2007-04-12 / SNE-IDS college ’06-’07

Definitions, Intrusion Detection Systemsindex-of.co.uk/Various/lesson4_honeynets.pdfIntrusion Detection Systems Matthijs Koot ([email protected]) Definitions, purpose Past and present

  • Upload
    others

  • View
    14

  • Download
    0

Embed Size (px)

Citation preview

Page 1: Definitions, Intrusion Detection Systemsindex-of.co.uk/Various/lesson4_honeynets.pdfIntrusion Detection Systems Matthijs Koot (koot@uva.nl) Definitions, purpose Past and present

Intrusion DetectionSystems

Matthijs Koot([email protected])

Definitions,purpose

Past and present

How honeypotsworkHoneyD

Honeynet, HoneyWall

MWCollect: Nepenthes,HoneyTrap and HoneyBow

Limitations andfutureLimitations

Honeynet ResearchAlliance

Future topics

Summary

Intrusion Detection SystemsLesson #4: Honey{pots,nets,walls}

Matthijs Koot([email protected])

Faculteit van Natuurwetenschappen, Wiskunde en InformaticaUniversiteit van Amsterdam

2007-04-12 / SNE-IDS college ’06-’07

Page 2: Definitions, Intrusion Detection Systemsindex-of.co.uk/Various/lesson4_honeynets.pdfIntrusion Detection Systems Matthijs Koot (koot@uva.nl) Definitions, purpose Past and present

Intrusion DetectionSystems

Matthijs Koot([email protected])

Definitions,purpose

Past and present

How honeypotsworkHoneyD

Honeynet, HoneyWall

MWCollect: Nepenthes,HoneyTrap and HoneyBow

Limitations andfutureLimitations

Honeynet ResearchAlliance

Future topics

Summary

Outline

Definitions, purpose

Past and present

How honeypots workHoneyDHoneynet, HoneyWallMWCollect: Nepenthes, HoneyTrap and HoneyBow

Limitations and futureLimitationsHoneynet Research AllianceFuture topics

Page 3: Definitions, Intrusion Detection Systemsindex-of.co.uk/Various/lesson4_honeynets.pdfIntrusion Detection Systems Matthijs Koot (koot@uva.nl) Definitions, purpose Past and present

Intrusion DetectionSystems

Matthijs Koot([email protected])

Definitions,purpose

Past and present

How honeypotsworkHoneyD

Honeynet, HoneyWall

MWCollect: Nepenthes,HoneyTrap and HoneyBow

Limitations andfutureLimitations

Honeynet ResearchAlliance

Future topics

Summary

Definitions: ‘honeypot’.

DefinitionA honeypot is a sacrificial asset, either virtual or physical,whose purposes are to gather information on (and warnof) attacker behavior and to decoy attackers from realassets.

Page 4: Definitions, Intrusion Detection Systemsindex-of.co.uk/Various/lesson4_honeynets.pdfIntrusion Detection Systems Matthijs Koot (koot@uva.nl) Definitions, purpose Past and present

Intrusion DetectionSystems

Matthijs Koot([email protected])

Definitions,purpose

Past and present

How honeypotsworkHoneyD

Honeynet, HoneyWall

MWCollect: Nepenthes,HoneyTrap and HoneyBow

Limitations andfutureLimitations

Honeynet ResearchAlliance

Future topics

Summary

Definitions: ‘Honeynet’ and ‘HoneyWall’.

DefinitionA honeynet is a network of honeypots.

DefinitionA honeywall is a honeypot or honeynet that is placedin-line between two networks, or between a network anda host, to uni- or bidirectionally capture, control andanalyze attacks.

DefinitionA honeytoken is a honeypot which is not a computer.

Page 5: Definitions, Intrusion Detection Systemsindex-of.co.uk/Various/lesson4_honeynets.pdfIntrusion Detection Systems Matthijs Koot (koot@uva.nl) Definitions, purpose Past and present

Intrusion DetectionSystems

Matthijs Koot([email protected])

Definitions,purpose

Past and present

How honeypotsworkHoneyD

Honeynet, HoneyWall

MWCollect: Nepenthes,HoneyTrap and HoneyBow

Limitations andfutureLimitations

Honeynet ResearchAlliance

Future topics

Summary

Warning.

WARNING

In real life, ‘Honeynet" and “HoneyWall" are usedambiguously to refer to both their CONCEPTS, as well astheir prevalent IMPLEMENTATION (think ‘DNS’ versus‘bind’). This also explains any inconsistencies in (my) useof CaPiTaLiZaTiOn.

Page 6: Definitions, Intrusion Detection Systemsindex-of.co.uk/Various/lesson4_honeynets.pdfIntrusion Detection Systems Matthijs Koot (koot@uva.nl) Definitions, purpose Past and present

Intrusion DetectionSystems

Matthijs Koot([email protected])

Definitions,purpose

Past and present

How honeypotsworkHoneyD

Honeynet, HoneyWall

MWCollect: Nepenthes,HoneyTrap and HoneyBow

Limitations andfutureLimitations

Honeynet ResearchAlliance

Future topics

Summary

Purpose of a honeypot.

The two main purposes of a honeypot:I Research

I Know your enemy!I Reveal blackhat tactics, techniques, toolsI Reveal motives/intentions?I Mostly used by universities, governments, ISPs

I ProtectionI Deceiving the wiley crackerI Integrated within enterprise security architecture

Page 7: Definitions, Intrusion Detection Systemsindex-of.co.uk/Various/lesson4_honeynets.pdfIntrusion Detection Systems Matthijs Koot (koot@uva.nl) Definitions, purpose Past and present

Intrusion DetectionSystems

Matthijs Koot([email protected])

Definitions,purpose

Past and present

How honeypotsworkHoneyD

Honeynet, HoneyWall

MWCollect: Nepenthes,HoneyTrap and HoneyBow

Limitations andfutureLimitations

Honeynet ResearchAlliance

Future topics

Summary

Tactics behind a honeypot.

In its defensive form, a honeypot is designed ondeception and intimidation (Fred Cohen, 2001):

I ConcealmentI CamouflageI False/planted information (honeytokens!)I Feints, lies, et cetera

I E.g. false claims that a facility if being watched bylaw enforcement authorities

Page 8: Definitions, Intrusion Detection Systemsindex-of.co.uk/Various/lesson4_honeynets.pdfIntrusion Detection Systems Matthijs Koot (koot@uva.nl) Definitions, purpose Past and present

Intrusion DetectionSystems

Matthijs Koot([email protected])

Definitions,purpose

Past and present

How honeypotsworkHoneyD

Honeynet, HoneyWall

MWCollect: Nepenthes,HoneyTrap and HoneyBow

Limitations andfutureLimitations

Honeynet ResearchAlliance

Future topics

Summary

Functional requirements of a honeypot.

Functional requirements of a honeypot include:I Data captureI Data analysisI Data control

Page 9: Definitions, Intrusion Detection Systemsindex-of.co.uk/Various/lesson4_honeynets.pdfIntrusion Detection Systems Matthijs Koot (koot@uva.nl) Definitions, purpose Past and present

Intrusion DetectionSystems

Matthijs Koot([email protected])

Definitions,purpose

Past and present

How honeypotsworkHoneyD

Honeynet, HoneyWall

MWCollect: Nepenthes,HoneyTrap and HoneyBow

Limitations andfutureLimitations

Honeynet ResearchAlliance

Future topics

Summary

History of honeypots.

I 1990: real systemsI Deploy unpatched systems in default config on

unprotected network (making them ‘low-hangingfruit’)

I Easy to deployI High-interaction, high-riskI Nice reading: “Cuckoo’s Egg” by Clifford Stoll

I 1998: network service simulationI HoneyD, CyberCop Sting, Deception Toolkit,

KFSensorI Easy to deployI Low-interaction, low-risk

I 1999-now: virtual systemsI Honeynet (next slide), Symantec Decoy ServerI Difficult to deployI Mid/high-interaction, mid/high-risk

Page 10: Definitions, Intrusion Detection Systemsindex-of.co.uk/Various/lesson4_honeynets.pdfIntrusion Detection Systems Matthijs Koot (koot@uva.nl) Definitions, purpose Past and present

Intrusion DetectionSystems

Matthijs Koot([email protected])

Definitions,purpose

Past and present

How honeypotsworkHoneyD

Honeynet, HoneyWall

MWCollect: Nepenthes,HoneyTrap and HoneyBow

Limitations andfutureLimitations

Honeynet ResearchAlliance

Future topics

Summary

History of The Honeynet Project.

History of The Honeynet ProjectI 1999: Lance Spitzer (Sun) founds Honeynet projectI 1999-2001, GenI: PoC, L3+ (modified IP-headers)I 2001-2003, GenII: GenI + bridging (no TTL, harder

to detect)I 2003-2004, GenIII: GenII + blocking (HoneyWall)I 2004-current: ‘GenIV’ refers to next-gen analysis

capabilitiesAlso known for Scan of the Month (SotM) challenges(which alas appear to be dormant since 2005)

Page 11: Definitions, Intrusion Detection Systemsindex-of.co.uk/Various/lesson4_honeynets.pdfIntrusion Detection Systems Matthijs Koot (koot@uva.nl) Definitions, purpose Past and present

Intrusion DetectionSystems

Matthijs Koot([email protected])

Definitions,purpose

Past and present

How honeypotsworkHoneyD

Honeynet, HoneyWall

MWCollect: Nepenthes,HoneyTrap and HoneyBow

Limitations andfutureLimitations

Honeynet ResearchAlliance

Future topics

Summary

Taxonomy of honeypots.

As proposed by Seifert, Welch, Komisarczuk in 2006,honeypots can be differentiated on...

I Level of interactivity (will be discussed shortly)I Data capture (attacks, events, intrusions, ...)I Containment (aka ‘data control’)I Distribution appearanceI Role in N-tier architectureI Communication interface (API, NIC, ...)

Page 12: Definitions, Intrusion Detection Systemsindex-of.co.uk/Various/lesson4_honeynets.pdfIntrusion Detection Systems Matthijs Koot (koot@uva.nl) Definitions, purpose Past and present

Intrusion DetectionSystems

Matthijs Koot([email protected])

Definitions,purpose

Past and present

How honeypotsworkHoneyD

Honeynet, HoneyWall

MWCollect: Nepenthes,HoneyTrap and HoneyBow

Limitations andfutureLimitations

Honeynet ResearchAlliance

Future topics

Summary

Taxonomy of honeypots.

Honeypot

Communication interface

Distribution appearance

Role in an N-tier architecture

Data captureContainment

Interaction level

High Low

Software API Non Network Hardware IF Network IF

Client Server

Defuse

Block

Slowdown

None

Intrusions

Events

Attacks

None

Distributed Stand-alone

Page 13: Definitions, Intrusion Detection Systemsindex-of.co.uk/Various/lesson4_honeynets.pdfIntrusion Detection Systems Matthijs Koot (koot@uva.nl) Definitions, purpose Past and present

Intrusion DetectionSystems

Matthijs Koot([email protected])

Definitions,purpose

Past and present

How honeypotsworkHoneyD

Honeynet, HoneyWall

MWCollect: Nepenthes,HoneyTrap and HoneyBow

Limitations andfutureLimitations

Honeynet ResearchAlliance

Future topics

Summary

Level of interactivity: low.

Fake daemon

Operating System

Other local resources

harddisk

Source: R. Baumann, C. Plattern. Honeypots, diplomathesis. Feb. 2002 (reconstructed for OS3/SNE)

Page 14: Definitions, Intrusion Detection Systemsindex-of.co.uk/Various/lesson4_honeynets.pdfIntrusion Detection Systems Matthijs Koot (koot@uva.nl) Definitions, purpose Past and present

Intrusion DetectionSystems

Matthijs Koot([email protected])

Definitions,purpose

Past and present

How honeypotsworkHoneyD

Honeynet, HoneyWall

MWCollect: Nepenthes,HoneyTrap and HoneyBow

Limitations andfutureLimitations

Honeynet ResearchAlliance

Future topics

Summary

Level of interactivity: mid.

Fake daemon

Operating System

Other local resources

harddisk

Source: R. Baumann, C. Plattern. Honeypots, diplomathesis. Feb. 2002 (reconstructed for OS3/SNE)

Page 15: Definitions, Intrusion Detection Systemsindex-of.co.uk/Various/lesson4_honeynets.pdfIntrusion Detection Systems Matthijs Koot (koot@uva.nl) Definitions, purpose Past and present

Intrusion DetectionSystems

Matthijs Koot([email protected])

Definitions,purpose

Past and present

How honeypotsworkHoneyD

Honeynet, HoneyWall

MWCollect: Nepenthes,HoneyTrap and HoneyBow

Limitations andfutureLimitations

Honeynet ResearchAlliance

Future topics

Summary

Level of interactivity: high.

Fake daemon

Operating System

Other local resources

harddisk

Source: R. Baumann, C. Plattern. Honeypots, diplomathesis. Feb. 2002 (reconstructed for OS3/SNE)

Page 16: Definitions, Intrusion Detection Systemsindex-of.co.uk/Various/lesson4_honeynets.pdfIntrusion Detection Systems Matthijs Koot (koot@uva.nl) Definitions, purpose Past and present

Intrusion DetectionSystems

Matthijs Koot([email protected])

Definitions,purpose

Past and present

How honeypotsworkHoneyD

Honeynet, HoneyWall

MWCollect: Nepenthes,HoneyTrap and HoneyBow

Limitations andfutureLimitations

Honeynet ResearchAlliance

Future topics

Summary

Outline

Definitions, purpose

Past and present

How honeypots workHoneyDHoneynet, HoneyWallMWCollect: Nepenthes, HoneyTrap and HoneyBow

Limitations and futureLimitationsHoneynet Research AllianceFuture topics

Page 17: Definitions, Intrusion Detection Systemsindex-of.co.uk/Various/lesson4_honeynets.pdfIntrusion Detection Systems Matthijs Koot (koot@uva.nl) Definitions, purpose Past and present

Intrusion DetectionSystems

Matthijs Koot([email protected])

Definitions,purpose

Past and present

How honeypotsworkHoneyD

Honeynet, HoneyWall

MWCollect: Nepenthes,HoneyTrap and HoneyBow

Limitations andfutureLimitations

Honeynet ResearchAlliance

Future topics

Summary

HoneyD.

HoneyDI HoneyD is an engine for running virtual IP-stacks in

parallelI Mid-interaction network service simulator

I Simulates SMTP, FTP, HTTP, ...I Easily extendible through customizable scripts

I First release in 1999, currently maintained by NielsProvos

I TCP/IP fingerprint spoofing through ‘personalities’I Impersonate Win32 on your favorite UNIX flavor

(which should be MINIX), fooling nmap and xprobeI Fake WinSize, DF, ToS, ISN, ...I Fake packet loss, TTL, latency!

Page 18: Definitions, Intrusion Detection Systemsindex-of.co.uk/Various/lesson4_honeynets.pdfIntrusion Detection Systems Matthijs Koot (koot@uva.nl) Definitions, purpose Past and present

Intrusion DetectionSystems

Matthijs Koot([email protected])

Definitions,purpose

Past and present

How honeypotsworkHoneyD

Honeynet, HoneyWall

MWCollect: Nepenthes,HoneyTrap and HoneyBow

Limitations andfutureLimitations

Honeynet ResearchAlliance

Future topics

Summary

HoneyD.

HoneyD architecture

libnet

libpcap

Personality engine

Userland IP-stack

ICMP

UDP

TCP

Service

External program

proxy

HoneyD

Source: http://md.hudora.de/presentations/2005-bh-honeypots-03-honeyd.pdf (reconstructed forOS3/SNE)

Page 19: Definitions, Intrusion Detection Systemsindex-of.co.uk/Various/lesson4_honeynets.pdfIntrusion Detection Systems Matthijs Koot (koot@uva.nl) Definitions, purpose Past and present

Intrusion DetectionSystems

Matthijs Koot([email protected])

Definitions,purpose

Past and present

How honeypotsworkHoneyD

Honeynet, HoneyWall

MWCollect: Nepenthes,HoneyTrap and HoneyBow

Limitations andfutureLimitations

Honeynet ResearchAlliance

Future topics

Summary

HoneyD.

Applying the mid-interaction model to HoneyD: HoneyDservicing incoming requests on port TCP/21 by executingfake-ftp.sh.

HoneyD listening on tcp/21

Operating System

Other local resources

fake-ftpd.sh

Page 20: Definitions, Intrusion Detection Systemsindex-of.co.uk/Various/lesson4_honeynets.pdfIntrusion Detection Systems Matthijs Koot (koot@uva.nl) Definitions, purpose Past and present

Intrusion DetectionSystems

Matthijs Koot([email protected])

Definitions,purpose

Past and present

How honeypotsworkHoneyD

Honeynet, HoneyWall

MWCollect: Nepenthes,HoneyTrap and HoneyBow

Limitations andfutureLimitations

Honeynet ResearchAlliance

Future topics

Summary

Outline

Definitions, purpose

Past and present

How honeypots workHoneyDHoneynet, HoneyWallMWCollect: Nepenthes, HoneyTrap and HoneyBow

Limitations and futureLimitationsHoneynet Research AllianceFuture topics

Page 21: Definitions, Intrusion Detection Systemsindex-of.co.uk/Various/lesson4_honeynets.pdfIntrusion Detection Systems Matthijs Koot (koot@uva.nl) Definitions, purpose Past and present

Intrusion DetectionSystems

Matthijs Koot([email protected])

Definitions,purpose

Past and present

How honeypotsworkHoneyD

Honeynet, HoneyWall

MWCollect: Nepenthes,HoneyTrap and HoneyBow

Limitations andfutureLimitations

Honeynet ResearchAlliance

Future topics

Summary

Honeynet, HoneyWall.

The basic idea of a Honeynet/HoneyWall:

17

Theory

Internet

Honeywall

Honeypot

Honeypot

No Restrictions

Connections Limited Packet Scrubbed

Page 22: Definitions, Intrusion Detection Systemsindex-of.co.uk/Various/lesson4_honeynets.pdfIntrusion Detection Systems Matthijs Koot (koot@uva.nl) Definitions, purpose Past and present

Intrusion DetectionSystems

Matthijs Koot([email protected])

Definitions,purpose

Past and present

How honeypotsworkHoneyD

Honeynet, HoneyWall

MWCollect: Nepenthes,HoneyTrap and HoneyBow

Limitations andfutureLimitations

Honeynet ResearchAlliance

Future topics

Summary

Sebek.

Sebek: spying on your intruderI From Honeynet.org: “Sebek is a tool designed for

data capture, it attempts to capture most of theattackers activity on the honeypot, without theattacker knowing it (hopefully), then sends therecoverd data to a central logging system."

I Recover keystrokes, uploaded files, passwords, IRCchats, even if they’re encrypted by SSH, IPSec orSSL.

Page 23: Definitions, Intrusion Detection Systemsindex-of.co.uk/Various/lesson4_honeynets.pdfIntrusion Detection Systems Matthijs Koot (koot@uva.nl) Definitions, purpose Past and present

Intrusion DetectionSystems

Matthijs Koot([email protected])

Definitions,purpose

Past and present

How honeypotsworkHoneyD

Honeynet, HoneyWall

MWCollect: Nepenthes,HoneyTrap and HoneyBow

Limitations andfutureLimitations

Honeynet ResearchAlliance

Future topics

Summary

Sebek.

Page 24: Definitions, Intrusion Detection Systemsindex-of.co.uk/Various/lesson4_honeynets.pdfIntrusion Detection Systems Matthijs Koot (koot@uva.nl) Definitions, purpose Past and present

Intrusion DetectionSystems

Matthijs Koot([email protected])

Definitions,purpose

Past and present

How honeypotsworkHoneyD

Honeynet, HoneyWall

MWCollect: Nepenthes,HoneyTrap and HoneyBow

Limitations andfutureLimitations

Honeynet ResearchAlliance

Future topics

Summary

Sebek in GenII honeynet.

Proceedings of the 2005 IEEEWorkshop on Information Assurance and Security

T1B2 1555 United States Military Academy, West Point, NY, 15 – 17 June2004

Towards a Third Generation Data Capture Architecture for Honeynets

Edward Balas and Camilo VieccoAdvanced Network Management Lab

Indiana University

Abstract— Honeynets have become an important tool forresearchers and network operators. However, their e!ec-tiveness has been impeded by a lack of a standard unifiedhoneynet data model which results from having multiple un-related data sources, each with its own access method andformat.

In this paper we propose a new data collection architec-ture that addresses the need for both rapid comprehensionand detailed analysis by providing two data access methods:a relational model based fast path, and a canonical slowpath. We also present a set of tools based on this architec-ture.

I. Introduction

A Honeynet is a network of high interaction honey-pots[1]. High interaction honeypots are quite different fromlow interaction honeypots such as Honeyd [2] for they pro-vide a full operating system and set of software for an in-truder to interact with. This high level of interactivity is adesired because it allows researchers the ability to observethe behavior of an intruder in a live system, and not a sim-ulation. As a result, high interaction honeypots are wellsuited to capture new or unanticipated activity. However,high interaction honeypots collect a larger volume detaileddata from multiple data sources making it difficult to man-age honeynets and make sense of the collected data.

To help facilitate honeynet deployments and the sharingof information between researchers, The Honeynet Projectstandardized the GenII honeynet architecture[3]. This ar-chitecture includes a specification of Data Capture proce-dures whose purpose is to “log all of the attacker’s activity”.The GenII Data Capture procedures specify the collectionof three types of data: firewall logs, network traffic andsystem activity. Figure 2 provides a schematic represen-tation of a typical Gen II deployment. This architecturedoes not provide any guidance on how to store or accessthe captured data.

In the standardized architecture, firewall logs are usedto provide a summary of the network activity. The“rc.firewall” script provided by the honeynet project al-lows this by using the Linux IPTables[4] connection track-ing capabilities. We feel this logging is counter-intuitivebecause firewall logs are typically used for policy auditingand in this case they are being used to provide summary

Fig. 1. GenII Honeynet Data Capture.

accounts of network activity. In addtion, these summarieslack needed detail such as the duration and quantity ofnetwork activity

Network traffic and Intrusion Detection System(IDS)events are captured using the Snort IDS system[5]. ForData Capture, two instances of are executed, one to merelyrecord the raw traffic, and the other to examine the net-work traffic looking for events that are indicative of misuseor intrusion.

System activity refers to monitoring activity from theperspective of each high interaction honeypot. This typeof monitoring includes two types of data: Syslog and Se-bek. Syslog data is provided by each honeypot’s operatingsystem. Sebek is a tool developed by the Honeynet Projectto monitor the behavior of intruder even when the intruderuses session encryption[6]. Sebek operates as hidden ker-nel module which covertly exports log data to the loggingsystem.

The GenII honeynet architecture gathers very detailed

1

Page 25: Definitions, Intrusion Detection Systemsindex-of.co.uk/Various/lesson4_honeynets.pdfIntrusion Detection Systems Matthijs Koot (koot@uva.nl) Definitions, purpose Past and present

Intrusion DetectionSystems

Matthijs Koot([email protected])

Definitions,purpose

Past and present

How honeypotsworkHoneyD

Honeynet, HoneyWall

MWCollect: Nepenthes,HoneyTrap and HoneyBow

Limitations andfutureLimitations

Honeynet ResearchAlliance

Future topics

Summary

Hflowd data fusion.

To augment our understanding of the network activ-ity and the hosts at either side of a communication, weadded passive operating system fingerprinting capability,provided by the p0f[13] tool. P0f is also a pcap basedmonitor that provides an estimate of the operating sys-tem(OS) used by host that initiates a TCP connection.This data is useful for two reasons. First, across flows itallows one to see if the apparent host OS is changing for agiven IP source providing an indication that the host mightbe behind a NAT. Second, OS identification can improvethe accuracy of IDS events through the process of passivealert verification[14][15]. For instance in a situation wherea apache mod ssl exploit[16] is launched against a non-linuxhost, the system could detect this discrepancy and treat thealert with a lower priority similar to the approach taken byRNA[14]2.

The addition of the Argus and p0f data to the Snortand packet capture data provides a more comprehensiverepresentation of events than provided in the GenII design.Further this new data can be organized around the conceptof a network flow. However additional data sources areneeded to bridge the relational gap between the networkflows and processes on a host.

To bridge this gap we enhanced Sebek [6] to monitor net-work activity from the host’s perspective. Sebek is a kernelbased data capture tool designed to be installed on high in-teraction honeypots [1]. Balas modified Sebek to monitorsocket, process and file activity [17]. These modificationsprovided three necessary capabilities.

First, Sebek was enhanced to monitor socket activity.Whenever a honeypot accepts or creates a network con-nection, Sebeck records the IP level attributes as well asthe corresponding host, process and inode. This allowsus to relate a network flow to the specific open inode andfile descriptor used by a process to service the connection.This data is integral to providing a composite view of theincident that transcends flow and host data. Once a net-work connection associated with an intrusion attempt is ob-served, we immediately know which inode and process theintrusion was tied to. Using this data we can quickly iden-tify related information such as the keystrokes captured bySebek.

Second, Sebek was enhanced to monitor process creation.This monitoring allows us to relate one process to another,rebuilding the process tree. This is important in intru-sion analysis for it allows us to track the intrusion forwardfrom the point of intrusion identifying all processes cre-ated, and any other causally related system activity, suchas outbound network connections[8]. The same capabilitycan be used in reverse, if we see an outbound connectionon a honeypot, we can back track to identify the point of

2p0f can only estimate the OS of the TCP initiator, in this examplethe OS of the host under attack is known by either manually intro-duction of the OS by part of the administrator as with a honeypot orthrough previous TCP connections initiated by the particular host

Honeynet Ethernet

Raw Socket

libpcap

P0f

Passive

OS

detector

Snort

Intrusion

Detection

System

Argus

Flow Monitor

Sebek

Data Collector

Traffic

Recorder

Hflowd: Data Fusion

Relational Data Access Raw Data Access

Deamons

Kernel

Hflow DB Pcap

Fig. 3. Data collection and fusion diagram

intrusion.Lastly, the ability to monitor the opening of files was

added. Coupled with the process tree this allows us to iden-tify all files accessed as part of an intrusion. This knowledgecan in turn be used to prioritize data analysis e!orts. Asan example, presume that a specific intruder likes to placehis/her files in a unique location in the file system. Oncethis location is identified, we can quickly search preexistingdata for any prior indications of the same intruder’s pres-ence. This capability can also be used to create a crudeform of Honeytoken[18] where the act of accessing a cer-tain file might be deemed an interesting event requiringfurther investigation.

B. Data Fusion

Hflow was developed to combine each of these datasources into a composite relational model. It continuallyconsumes data from each source, fusing it based on iden-tifiable relationships and it then loads this data into adatabase.

Hflow receives Argus flow, Snort IDS, p0f OS fingerprintsand Sebek data. This data once combined is then insertedinto a database.

Flow related data, such as Argus and Snort, are corre-lated based on corresponding tuples consisting of the IPprotocol number, the source and destination IP addressesand if applicable port numbers which fall within the same

4

Page 26: Definitions, Intrusion Detection Systemsindex-of.co.uk/Various/lesson4_honeynets.pdfIntrusion Detection Systems Matthijs Koot (koot@uva.nl) Definitions, purpose Past and present

Intrusion DetectionSystems

Matthijs Koot([email protected])

Definitions,purpose

Past and present

How honeypotsworkHoneyD

Honeynet, HoneyWall

MWCollect: Nepenthes,HoneyTrap and HoneyBow

Limitations andfutureLimitations

Honeynet ResearchAlliance

Future topics

Summary

Outline

Definitions, purpose

Past and present

How honeypots workHoneyDHoneynet, HoneyWallMWCollect: Nepenthes, HoneyTrap and HoneyBow

Limitations and futureLimitationsHoneynet Research AllianceFuture topics

Page 27: Definitions, Intrusion Detection Systemsindex-of.co.uk/Various/lesson4_honeynets.pdfIntrusion Detection Systems Matthijs Koot (koot@uva.nl) Definitions, purpose Past and present

Intrusion DetectionSystems

Matthijs Koot([email protected])

Definitions,purpose

Past and present

How honeypotsworkHoneyD

Honeynet, HoneyWall

MWCollect: Nepenthes,HoneyTrap and HoneyBow

Limitations andfutureLimitations

Honeynet ResearchAlliance

Future topics

Summary

MWCollect: Nepenthes, HoneyTrap andHoneyBow.

MWCollectI MWCollect (sort of) is an alliance of malware

researchers and software engineersI ...and less pretty, it is the dead parent process from

which Nepenthes was forkedI Houses Nepenthes, HoneyTrap and HoneyBowI State-of-art (scientific) research on malware

I Reverse engineering polymorphic shellcodesI Call-flow graph (binary) analysisI Et cetera

Page 28: Definitions, Intrusion Detection Systemsindex-of.co.uk/Various/lesson4_honeynets.pdfIntrusion Detection Systems Matthijs Koot (koot@uva.nl) Definitions, purpose Past and present

Intrusion DetectionSystems

Matthijs Koot([email protected])

Definitions,purpose

Past and present

How honeypotsworkHoneyD

Honeynet, HoneyWall

MWCollect: Nepenthes,HoneyTrap and HoneyBow

Limitations andfutureLimitations

Honeynet ResearchAlliance

Future topics

Summary

Nepenthes.

Nepenthes architectureI Low-interaction malware collection honeypotI Emulates known vulnerabilities and captures the

malware trying to exploit themI E.g. NetDDE, LSASS, DCOM, ASN1, MSSQL,

UPNP, IIS vulnsI Modular arch: vuln-*, shellcode-*, download-*,

submit-*I Extensions are being developed for call-flow graphs

and binary shellcode analysisI Nepenthes is a fork() of mwcollect (way back)

Page 29: Definitions, Intrusion Detection Systemsindex-of.co.uk/Various/lesson4_honeynets.pdfIntrusion Detection Systems Matthijs Koot (koot@uva.nl) Definitions, purpose Past and present

Intrusion DetectionSystems

Matthijs Koot([email protected])

Definitions,purpose

Past and present

How honeypotsworkHoneyD

Honeynet, HoneyWall

MWCollect: Nepenthes,HoneyTrap and HoneyBow

Limitations andfutureLimitations

Honeynet ResearchAlliance

Future topics

Summary

Nepenthes.

Nepenthes

tcp/445

tcp/135

tcp/80

tcp/...

Nepenthes core

geolocation-hostip

module-portwatch

vuln-lsass

vuln-dcom

vuln-asn1

vuln-wins

...

log-download log-irc dnsresolve-adns

geolocation-geoip

EXPLOIT

shellcode-generic

shellemu-winnt

PAYLOAD

download-tftp

download-ftp

download-http

download-link

MALWARE URL

...

submit-file

submit-xmlrpc

submit-norman

MALWARE!

Page 30: Definitions, Intrusion Detection Systemsindex-of.co.uk/Various/lesson4_honeynets.pdfIntrusion Detection Systems Matthijs Koot (koot@uva.nl) Definitions, purpose Past and present

Intrusion DetectionSystems

Matthijs Koot([email protected])

Definitions,purpose

Past and present

How honeypotsworkHoneyD

Honeynet, HoneyWall

MWCollect: Nepenthes,HoneyTrap and HoneyBow

Limitations andfutureLimitations

Honeynet ResearchAlliance

Future topics

Summary

HoneyTrap and HoneyBow.

HoneyTrapI Low-interaction malware collection honeypotI HoneyTrap handles all incoming request to unbound

(!) TCP portsI Does not simulate vulns or services, although the

latter is possible through plug-insI Suitable for zerodays (unlike Nepenthes)

HoneyBow (future)I High-interaction malware collection honeypotI Fairly new: announced in Dec/2006 by China

Honeynet Project (no code yet)I Modular arch: MwWatcher, MwFetcher, MwSubmitterI Will be interoperable with Nepenthes

Page 31: Definitions, Intrusion Detection Systemsindex-of.co.uk/Various/lesson4_honeynets.pdfIntrusion Detection Systems Matthijs Koot (koot@uva.nl) Definitions, purpose Past and present

Intrusion DetectionSystems

Matthijs Koot([email protected])

Definitions,purpose

Past and present

How honeypotsworkHoneyD

Honeynet, HoneyWall

MWCollect: Nepenthes,HoneyTrap and HoneyBow

Limitations andfutureLimitations

Honeynet ResearchAlliance

Future topics

Summary

Outline

Definitions, purpose

Past and present

How honeypots workHoneyDHoneynet, HoneyWallMWCollect: Nepenthes, HoneyTrap and HoneyBow

Limitations and futureLimitationsHoneynet Research AllianceFuture topics

Page 32: Definitions, Intrusion Detection Systemsindex-of.co.uk/Various/lesson4_honeynets.pdfIntrusion Detection Systems Matthijs Koot (koot@uva.nl) Definitions, purpose Past and present

Intrusion DetectionSystems

Matthijs Koot([email protected])

Definitions,purpose

Past and present

How honeypotsworkHoneyD

Honeynet, HoneyWall

MWCollect: Nepenthes,HoneyTrap and HoneyBow

Limitations andfutureLimitations

Honeynet ResearchAlliance

Future topics

Summary

Limitations.

Limitations/caveats to honeypot technologyI Complexity is the enemy of security, and honeynets

are complex.I Bugs in emulatorsI Privilege escalation

I Known attacks: NoSEBrEaK, Phrack #62/0x07.I Decoy/false attacks (counter-counter).I Blackhats exchange and evade IP-ranges of known

honeynetsI Auto(re)configuration, higher volatility should help

Page 33: Definitions, Intrusion Detection Systemsindex-of.co.uk/Various/lesson4_honeynets.pdfIntrusion Detection Systems Matthijs Koot (koot@uva.nl) Definitions, purpose Past and present

Intrusion DetectionSystems

Matthijs Koot([email protected])

Definitions,purpose

Past and present

How honeypotsworkHoneyD

Honeynet, HoneyWall

MWCollect: Nepenthes,HoneyTrap and HoneyBow

Limitations andfutureLimitations

Honeynet ResearchAlliance

Future topics

Summary

Outline

Definitions, purpose

Past and present

How honeypots workHoneyDHoneynet, HoneyWallMWCollect: Nepenthes, HoneyTrap and HoneyBow

Limitations and futureLimitationsHoneynet Research AllianceFuture topics

Page 34: Definitions, Intrusion Detection Systemsindex-of.co.uk/Various/lesson4_honeynets.pdfIntrusion Detection Systems Matthijs Koot (koot@uva.nl) Definitions, purpose Past and present

Intrusion DetectionSystems

Matthijs Koot([email protected])

Definitions,purpose

Past and present

How honeypotsworkHoneyD

Honeynet, HoneyWall

MWCollect: Nepenthes,HoneyTrap and HoneyBow

Limitations andfutureLimitations

Honeynet ResearchAlliance

Future topics

Summary

Honeynet Research Alliance.

Honeynet Research AllianceI “The Honeynet Research Alliance is a trusted forum

of other honeypot research organizations. [...] Theseorganizations subscribe to the Alliance for thepurpose of researching, developing and deployinghoneypot related technologies and sharing thelessons learned."

Page 35: Definitions, Intrusion Detection Systemsindex-of.co.uk/Various/lesson4_honeynets.pdfIntrusion Detection Systems Matthijs Koot (koot@uva.nl) Definitions, purpose Past and present

Intrusion DetectionSystems

Matthijs Koot([email protected])

Definitions,purpose

Past and present

How honeypotsworkHoneyD

Honeynet, HoneyWall

MWCollect: Nepenthes,HoneyTrap and HoneyBow

Limitations andfutureLimitations

Honeynet ResearchAlliance

Future topics

Summary

Honeynet Research Alliance (map).

NL is not represented. Perhaps OS3/SNE shouldendeavor to?

Page 36: Definitions, Intrusion Detection Systemsindex-of.co.uk/Various/lesson4_honeynets.pdfIntrusion Detection Systems Matthijs Koot (koot@uva.nl) Definitions, purpose Past and present

Intrusion DetectionSystems

Matthijs Koot([email protected])

Definitions,purpose

Past and present

How honeypotsworkHoneyD

Honeynet, HoneyWall

MWCollect: Nepenthes,HoneyTrap and HoneyBow

Limitations andfutureLimitations

Honeynet ResearchAlliance

Future topics

Summary

Outline

Definitions, purpose

Past and present

How honeypots workHoneyDHoneynet, HoneyWallMWCollect: Nepenthes, HoneyTrap and HoneyBow

Limitations and futureLimitationsHoneynet Research AllianceFuture topics

Page 37: Definitions, Intrusion Detection Systemsindex-of.co.uk/Various/lesson4_honeynets.pdfIntrusion Detection Systems Matthijs Koot (koot@uva.nl) Definitions, purpose Past and present

Intrusion DetectionSystems

Matthijs Koot([email protected])

Definitions,purpose

Past and present

How honeypotsworkHoneyD

Honeynet, HoneyWall

MWCollect: Nepenthes,HoneyTrap and HoneyBow

Limitations andfutureLimitations

Honeynet ResearchAlliance

Future topics

Summary

Future topics.

I HoneysnapI CLI tool for high-level analysis of honeynet data

I Unified Data Analysis Framework (UDAF)I Library for data acquisition, filtering, fusion, reporting,

et ceteraI Towards visual programmingI Let’s hope it’ll be interoperable with IDMEF / GOTEK

I CWSandbox (Carsten Willems)I SCADA honeynets

I Cisco CIAG: scadahoneynet.sf.netI PLC simulation; MODBUS, DNP

Page 38: Definitions, Intrusion Detection Systemsindex-of.co.uk/Various/lesson4_honeynets.pdfIntrusion Detection Systems Matthijs Koot (koot@uva.nl) Definitions, purpose Past and present

Intrusion DetectionSystems

Matthijs Koot([email protected])

Definitions,purpose

Past and present

How honeypotsworkHoneyD

Honeynet, HoneyWall

MWCollect: Nepenthes,HoneyTrap and HoneyBow

Limitations andfutureLimitations

Honeynet ResearchAlliance

Future topics

Summary

Summary

Topics that have been discussedI Definitions and purposeI Past, present, futureI Most important: HoneyD, Honeynet/HoneyWall,

Sebek, NepenthesI Limitations

Page 39: Definitions, Intrusion Detection Systemsindex-of.co.uk/Various/lesson4_honeynets.pdfIntrusion Detection Systems Matthijs Koot (koot@uva.nl) Definitions, purpose Past and present

Intrusion DetectionSystems

Matthijs Koot([email protected])

Definitions,purpose

Past and present

How honeypotsworkHoneyD

Honeynet, HoneyWall

MWCollect: Nepenthes,HoneyTrap and HoneyBow

Limitations andfutureLimitations

Honeynet ResearchAlliance

Future topics

Summary

Feedback!

QuestionQuestions regarding this lesson?