Honeypots mailing list archives
Final Year Project Ideas
From: "Reena Pau" <rp302 () ecs soton ac uk>
Date: Thu, 13 May 2004 13:49:29 +0100
Hi, I am currently at southampton uni, uk. I have jst completed my second year research project on honeypots and how they are contributing to fight against cyber crime. I would like to develop this project alot further in the third year for my final year project! I am however stuck for ideas..... I have got unlimited uni resources (the ecs departemetn is amazing here at southampton uni)..... so its just a case of getting ideas. I am particularly intrested in the psychology of hacking...etc Lance I dont know if this e-mail is for too 'basic' or inappropriate for teh forum! ANY ideas would be fab!!! Regards Reena ----- Original Message ----- From: "Dan Hawrylkiw" <idontcheckthisaccount () panira net> To: "'dcneting'" <ansiry () tm net my>; <focus-virus () securityfocus com>; <honeypots () securityfocus com> Sent: Thursday, May 13, 2004 8:28 AM Subject: RE: any other tool to detect worm?
The most appropriate answer to your questions depends on 1.)what information you want, 2.)how much you're willing to configure (preparation), and 3.)the amount of analysis you're willing to put into it (sustaining). For myself: 1.) When a new worm hits, I want to know how it gets into the victim, what it does to the victim, and how it scans/propagates. I also want network traces and code samples. Oh yeah- I also want to be notified within a couple minutes after this happens. :) 2.) I'm willing to do pre-work if it reduces the day-to-day analysis required 3.) I do everything possible to avoid having to review the same old boring noise (scans, probes, and failed exploit attempts) on a daily basis. I'll spare the list from one of my diatribes on signature-based IDS' and worms. By itself, signature based NIDS is hit-and-(usually)miss against new worms. On a typical network, you *can* increase your ability to pick up anomalous traffic, but the cost is a substantial increase in alerts that must be reviewed. If NIDS is used to monitor a honeypot, several new options open up. It isn't too difficult to filter out the everyday noise and capture everything else. I monitor my honeypots with SNORT, but I create pass rules for everything I don't care about- including scans against closed ports, old worm attacks that the honeypot isn't vulnerable to, and script kiddie noise. Everything that isn't filtered will either be picked up in the current ruleset or the catchall rules I've configured. Basically, my honeypots are monitored by an 'inverse' NIDS that alerts on everything except scans and well-known attacks. As far as honeypots designed to detect or capture new worms; there's only one way to go, and that's high-interaction. The only way to emulate an OS' response to an unknown attack is to, --well--, use *the* OS! I prefer to run vulnerable machines in VMware and have the host OS perform additional monitoring. For worm detecting honeypots, I typically set up Windows 2000 machines and leave them several months behind on patches. If you're interested in capturing attacks against a specific critical update, make sure the honeypot is patched against everything but that update. I usually enable auditing on the honeypot and configure the host OS to capture all packets sent to/from the guest OS. I run scripts that parse the monitored traffic and trigger when the guest OS starts talking on the network. (You probably won't want to trigger on reset packets, ICMP errors/replies, and responses to simple probes.) After the monitoring script triggers, it shuts down Vmware, pages me with the last 2-3 packets, and shuts down the host OS. Yeah, sure, you can do inline filtering, use HIDS, run tripwire, etc, etc. The point is that NIDS and honeypots work well together. What I mentioned above has been rather successful at detecting new worms, and rarely falls prey to hackers playing with the 'latest sploits' before a worm is released. /Dan Hawrylkiw, CISSP, GCIA, RHCE Phoenix Area Network Intrusion Research Alliance "to have good ideas, you have to have a lot of ideas" -Linus Pauling -----Original Message----- From: dcneting [mailto:ansiry () tm net my] Sent: Friday, April 30, 2004 5:20 PM To: focus-virus () securityfocus com; honeypots () securityfocus com Subject: any other tool to detect worm? ________________________________ From: dcneting [mailto:ansiry () tm net my] Sent: Saturday, May 01, 2004 8:18 AM To: 'focus-virus () securityfocus com' Subject: any other tool to detect worm? is there any tools that i can use to just detect worm-like activity besides that using honeyd? if there is, how can i use it to detect worms(known and unknown) preferably open source platform.
Current thread:
- any other tool to detect worm? dcneting (May 01)
- Re: any other tool to detect worm? bugtraq (May 01)
- Re: any other tool to detect worm? James Riden (May 02)
- RE: any other tool to detect worm? Bojan Zdrnja (May 08)
- Re: any other tool to detect worm? Niels Provos (May 08)
- RE: any other tool to detect worm? Dan Hawrylkiw (May 13)
- Final Year Project Ideas Reena Pau (May 13)
- <Possible follow-ups>
- RE: any other tool to detect worm? Taylor, David (May 02)