Honeypots mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Final Year Project Ideas

From: Steven Trewick <STrewick () joplings co uk>
Date: Thu, 13 May 2004 14:43:01 +0100

Hi Reena, 

Are you looking for a development project (eg creating/deploying 
honeypots, etc) or an analysis project (eg collect and analyse data 
from honeypot), or some combination thereof ?


:-)





-----Original Message-----
From: Reena Pau [mailto:rp302 () ecs soton ac uk]
Sent: 13 May 2004 13:49
To: Dan Hawrylkiw; 'dcneting'; focus-virus () securityfocus com;
honeypots () securityfocus com
Subject: Final Year Project Ideas


Hi,
I am currently at southampton uni, uk. I have jst completed 
my second year
research project on honeypots and how they are contributing 
to fight against
cyber crime. I would like to develop this project alot 
further in the third
year for my final year project! I am however stuck for 
ideas..... I have got
unlimited uni resources (the ecs departemetn is amazing here 
at southampton
uni)..... so its just a case of getting ideas. I am 
particularly intrested
in the psychology of hacking...etc

Lance I dont know if this e-mail is for too 'basic'  or 
inappropriate for
teh forum!

ANY ideas would be fab!!!
Regards
Reena






----- Original Message -----
From: "Dan Hawrylkiw" <idontcheckthisaccount () panira net>
To: "'dcneting'" <ansiry () tm net my>; <focus-virus () securityfocus com>;
<honeypots () securityfocus com>
Sent: Thursday, May 13, 2004 8:28 AM
Subject: RE: any other tool to detect worm?




The most appropriate answer to your questions depends on 1.)what
information you want, 2.)how much you're willing to configure
(preparation), and 3.)the amount of analysis you're willing 

to put into

it (sustaining).

For myself:
1.) When a new worm hits, I want to know how it gets into 

the victim,

what it does to the victim, and how it scans/propagates.  I 

also want

network traces and code samples.  Oh yeah- I also want to 

be notified

within a couple minutes after this happens. :)
2.) I'm willing to do pre-work if it reduces the day-to-day analysis
required
3.) I do everything possible to avoid having to review the same old
boring noise (scans, probes, and failed exploit attempts) on a daily
basis.

I'll spare the list from one of my diatribes on 

signature-based IDS' and

worms.  By itself, signature based NIDS is 

hit-and-(usually)miss against

new worms.  On a typical network, you *can* increase your ability to
pick up anomalous traffic, but the cost is a substantial increase in
alerts that must be reviewed.

If NIDS is used to monitor a honeypot, several new options 

open up.  It

isn't too difficult to filter out the everyday noise and capture
everything else.  I monitor my honeypots with SNORT, but I 

create pass

rules for everything I don't care about- including scans 

against closed

ports, old worm attacks that the honeypot isn't vulnerable to, and
script kiddie noise.  Everything that isn't filtered will either be
picked up in the current ruleset or the catchall rules I've 

configured.

Basically, my honeypots are monitored by an 'inverse' NIDS 

that alerts

on everything except scans and well-known attacks.

As far as honeypots designed to detect or capture new worms; there's
only one way to go, and that's high-interaction.  The only way to
emulate an OS' response to an unknown attack is to, 

--well--, use *the*

OS!  I prefer to run vulnerable machines in VMware and have 

the host OS

perform additional monitoring.  For worm detecting honeypots, I
typically set up Windows 2000 machines and leave them several months
behind on patches.  If you're interested in capturing 

attacks against a

specific critical update, make sure the honeypot is patched against
everything but that update.  I usually enable auditing on 

the honeypot

and configure the host OS to capture all packets sent 

to/from the guest

OS.  I run scripts that parse the monitored traffic and 

trigger when the

guest OS starts talking on the network.  (You probably won't want to
trigger on reset packets, ICMP errors/replies, and 

responses to simple

probes.)  After the monitoring script triggers, it shuts 

down Vmware,

pages me with the last 2-3 packets, and shuts down the host OS.

Yeah, sure, you can do inline filtering, use HIDS, run 

tripwire, etc,

etc.  The point is that NIDS and honeypots work well 

together.  What I

mentioned above has been rather successful at detecting new 

worms, and

rarely falls prey to hackers playing with the 'latest 

sploits' before a

worm is released.

/Dan Hawrylkiw, CISSP, GCIA, RHCE
Phoenix Area Network Intrusion Research Alliance

  "to have good ideas, you have to have a lot of ideas"
-Linus Pauling

-----Original Message-----
From: dcneting [mailto:ansiry () tm net my]
Sent: Friday, April 30, 2004 5:20 PM
To: focus-virus () securityfocus com; honeypots () securityfocus com
Subject: any other tool to detect worm?




________________________________

From: dcneting [mailto:ansiry () tm net my]
Sent: Saturday, May 01, 2004 8:18 AM
To: 'focus-virus () securityfocus com'
Subject: any other tool to detect worm?


is there any tools that i can use to just detect worm-like activity
besides that using honeyd? if there is, how can i use it to detect
worms(known and
unknown) preferably open source platform.








---
Incoming mail checked for known viruses
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.680 / Virus Database: 442 - Release Date: 09/05/04
 




</code>
The information contained in this e-mail is confidential and may be privileged, it is intended for the addressee only. 
If you have received this e-mail in error please delete it from your system. The statements and opinions expressed in 
this message are those of the author and do not necessarily reflect those of the company. Whilst Joplings Group 
operates an e-mail anti-virus program it does not accept responsibility for any damage whatsoever that is caused by 
viruses being passed.
joplings.co.uk
Previous By Date Next
Previous By Thread Next

Current thread: