Honeypots mailing list archives
RE: Final Year Project Ideas
From: Steven Trewick <STrewick () joplings co uk>
Date: Thu, 13 May 2004 14:43:01 +0100
Hi Reena, Are you looking for a development project (eg creating/deploying honeypots, etc) or an analysis project (eg collect and analyse data from honeypot), or some combination thereof ? :-)
-----Original Message----- From: Reena Pau [mailto:rp302 () ecs soton ac uk] Sent: 13 May 2004 13:49 To: Dan Hawrylkiw; 'dcneting'; focus-virus () securityfocus com; honeypots () securityfocus com Subject: Final Year Project Ideas Hi, I am currently at southampton uni, uk. I have jst completed my second year research project on honeypots and how they are contributing to fight against cyber crime. I would like to develop this project alot further in the third year for my final year project! I am however stuck for ideas..... I have got unlimited uni resources (the ecs departemetn is amazing here at southampton uni)..... so its just a case of getting ideas. I am particularly intrested in the psychology of hacking...etc Lance I dont know if this e-mail is for too 'basic' or inappropriate for teh forum! ANY ideas would be fab!!! Regards Reena ----- Original Message ----- From: "Dan Hawrylkiw" <idontcheckthisaccount () panira net> To: "'dcneting'" <ansiry () tm net my>; <focus-virus () securityfocus com>; <honeypots () securityfocus com> Sent: Thursday, May 13, 2004 8:28 AM Subject: RE: any other tool to detect worm?The most appropriate answer to your questions depends on 1.)what information you want, 2.)how much you're willing to configure (preparation), and 3.)the amount of analysis you're willingto put intoit (sustaining). For myself: 1.) When a new worm hits, I want to know how it gets intothe victim,what it does to the victim, and how it scans/propagates. Ialso wantnetwork traces and code samples. Oh yeah- I also want tobe notifiedwithin a couple minutes after this happens. :) 2.) I'm willing to do pre-work if it reduces the day-to-day analysis required 3.) I do everything possible to avoid having to review the same old boring noise (scans, probes, and failed exploit attempts) on a daily basis. I'll spare the list from one of my diatribes onsignature-based IDS' andworms. By itself, signature based NIDS ishit-and-(usually)miss againstnew worms. On a typical network, you *can* increase your ability to pick up anomalous traffic, but the cost is a substantial increase in alerts that must be reviewed. If NIDS is used to monitor a honeypot, several new optionsopen up. Itisn't too difficult to filter out the everyday noise and capture everything else. I monitor my honeypots with SNORT, but Icreate passrules for everything I don't care about- including scansagainst closedports, old worm attacks that the honeypot isn't vulnerable to, and script kiddie noise. Everything that isn't filtered will either be picked up in the current ruleset or the catchall rules I'veconfigured.Basically, my honeypots are monitored by an 'inverse' NIDSthat alertson everything except scans and well-known attacks. As far as honeypots designed to detect or capture new worms; there's only one way to go, and that's high-interaction. The only way to emulate an OS' response to an unknown attack is to,--well--, use *the*OS! I prefer to run vulnerable machines in VMware and havethe host OSperform additional monitoring. For worm detecting honeypots, I typically set up Windows 2000 machines and leave them several months behind on patches. If you're interested in capturingattacks against aspecific critical update, make sure the honeypot is patched against everything but that update. I usually enable auditing onthe honeypotand configure the host OS to capture all packets sentto/from the guestOS. I run scripts that parse the monitored traffic andtrigger when theguest OS starts talking on the network. (You probably won't want to trigger on reset packets, ICMP errors/replies, andresponses to simpleprobes.) After the monitoring script triggers, it shutsdown Vmware,pages me with the last 2-3 packets, and shuts down the host OS. Yeah, sure, you can do inline filtering, use HIDS, runtripwire, etc,etc. The point is that NIDS and honeypots work welltogether. What Imentioned above has been rather successful at detecting newworms, andrarely falls prey to hackers playing with the 'latestsploits' before aworm is released. /Dan Hawrylkiw, CISSP, GCIA, RHCE Phoenix Area Network Intrusion Research Alliance "to have good ideas, you have to have a lot of ideas" -Linus Pauling -----Original Message----- From: dcneting [mailto:ansiry () tm net my] Sent: Friday, April 30, 2004 5:20 PM To: focus-virus () securityfocus com; honeypots () securityfocus com Subject: any other tool to detect worm? ________________________________ From: dcneting [mailto:ansiry () tm net my] Sent: Saturday, May 01, 2004 8:18 AM To: 'focus-virus () securityfocus com' Subject: any other tool to detect worm? is there any tools that i can use to just detect worm-like activity besides that using honeyd? if there is, how can i use it to detect worms(known and unknown) preferably open source platform.--- Incoming mail checked for known viruses Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.680 / Virus Database: 442 - Release Date: 09/05/04
</code> The information contained in this e-mail is confidential and may be privileged, it is intended for the addressee only. If you have received this e-mail in error please delete it from your system. The statements and opinions expressed in this message are those of the author and do not necessarily reflect those of the company. Whilst Joplings Group operates an e-mail anti-virus program it does not accept responsibility for any damage whatsoever that is caused by viruses being passed. joplings.co.uk
Current thread:
- RE: Final Year Project Ideas Steven Trewick (May 15)
- RE: Final Year Project Ideas Curt Purdy (May 16)