Honeypots mailing list archives
Re: Help... Distributed Honeynets
From: victor calzado <vcalzado () gmail com>
Date: Mon, 31 Jan 2005 18:26:25 +0100
Hi David, On Fri, 28 Jan 2005 19:06:14 -0600, David Jiménez Domínguez <djdsecurity () gmail com> wrote:
Hi list... I'm thinking about the development of a distributed honeynet infrastructure in a university, It has affiliates who would develop theit own honeynet around the country.... I would like to watch all the traffic of this honeynets in a central location in almost real time. What kind of tools, technology, or ideas would you recommend to me??
What kind of honeypots do you need to deploy? If you are only interested in logging in a low interaction enviroment perhaps remote syslog could be perfect for you at least in the first stages or the development. Connections will be logged in a remote syslog where alterts could be generated. Honeyd scripts could be easily modifed to send alerts to syslog logging wiht Net::Syslog perl extensions so you could even log scripts information. syslog-ng, msyslog or any other modification from syslog could be used to improve performance and to add additional funcionalies such database logging. IPSEC tunneling or a simple ssh port forwarding could be used to protect data from tampering with almost no extra work. The Distributed network will work as a distributed passive sensor network in "real time". This could be very useful against distributed denial of services, worms, spammer activities or even when someone is very interested breaking through a really big network. Latency and performance should be pretty similar to a general propouse remote syslog server so it probably won't be an issue. After using the "network" for a month you probably have enough data to test remote syslog solution performance and you will be able to tune logging facilities in the systems. You will also get a high ammount of data to test the ability of your log analyzer to correlate patterns so DDoS attacks or worms and spammers activities could be easily detected. It's very easy to think in more complex deployments of honeypot sensors and better logging systems could be implemented but i think the real "work" will start in the log host that should be able to correlate logs from all the network sensor so you get not only centralized logging and filtering system but a real distributed sensor engine. Log correlation is a critical issue in Intrusion Detection on a single host system so getting distributed correlation doesn't seem an easy task but i'm sure there's a lot information and GPL software that could do the work at least in the first stages of the deploy. I'm thinking in low interaction honeypots because high interaction systems seems useless in distributed networks, but it's only a personal opinion. If you want to use honeywall an sebek in high interaction honeypots you will get a lot of problems, even bandwith problems, and the high ammount of data collected probably couldn't be used in a Distributed Sensors and Central Log Host scenario.
Where can I find documentation about it??
You could get information about secure and centralized syslog systems here: http://www.securityfocus.com/infocus/1613 If you want a more complex aproach maybe you find code and ideas in the snortnet proyect. Anyway keep in mind that IDS are a kind of "active sensor" and have to deal with higher network traffic volumen than a "passive sensor" like honeynet based sensors and maybe the remote syslog solution will work find for you. I don't know if snornet project is still active but you could find useful information here: http://www.netsys.com/library/papers/snortnet.pdf
What kind of latency problems might exists?? Regards
Regards, Victor PD: Let me know if you need/want any help Kind
David Jiménez Domínguez --------------------------------------------------------------------------------
Current thread:
- Help... Distributed Honeynets David Jiménez Domínguez (Jan 28)
- Re: Help... Distributed Honeynets victor calzado (Jan 31)
- <Possible follow-ups>
- RE: Help... Distributed Honeynets Roger A. Grimes (Jan 28)
- Magazine Digital Evidence - Edition 04 (Portuguese) Andrey (Jan 30)