netForensics Honeynet Research Team Bi-Annual Status Report 03/28/2005 1.0 DEPLOYMENTS ================= 1.1 Current technologies deployed. Please include diagrams, so others could replicate your methods. If this has not changed since the last report, please link to the information so readers can reference (and learn from it). Victim seever: RedHat Linux 7.x-9 on Intel platform Control: modified GenII iptables script Network monitoring: snort 2.3.x, tcpdump, Bro 0.9_x, ipaudit, Snort Spade, Dragon NIDS 5.0, shadow/IDAbench, ngrep, argus, ifmonitor, p0f, pads Host monitoring: modified bash, sebek2, host syslog, misc application logs Correlation and analysis: netForensics SIM, ACID, IDAbench, IPAudit HTML GUI, logcheck Diagram: http://www.chuvakin.org/honeynet 1.2 Lessons learned from the technology, what you like about it. 1. The above provides sufficient monitoring for the activities of amateur attackers. This applies to both the level of detail and level of stealth 2. Combining all or most data in a single database makes honeynet monitoring a fairly easy task 1.3 Lessons learned from the technology, what is lacking, what you would like to see improved. 1. An ability to covertly xfer application logs from the honeypot is sorely needed. Syslog can be channeled off covertly, but various other logs (such as Apache and database logs) cannot 2. More automation is needed on the analysis side; specifically, more long-term data analysis in the absence of a compromise as well as automated compromise detection 3. Better log integration is needed (coming in newer Honeywalls) 2.0 FINDINGS ============= 2.1 Number and type of systems compromised during six month period. The system was compromised only once thru the AWSTATS hack. 2.2 Highlight any unique findings, attacks, tools, or methods. The attacker has brought some interesting tools, which were forwarded to the analysis list. Several different exploit signature for AWSTATS hols were identified. 2.3 Any trends seen in the past six months; I. Sharp decrease in Linux attacks and compromises II. Curious persistence of SQL worms III. A volume of spam probes has increased 2.4 Document data analysis tools and methods being used. The main data analysis tool was a netForensics SIM solution that integrated most of the data. We use a set of tools to mine the data and extract various actionable patterns, such as a honeynet compromise, changes in IRC activity or changes in probe/attack attempt flow. The data is manually fused with bash logger and sebek activity reports. Upon the incident the log data is obtained manually from the system and additional [manual] analysis of packet captures is performed. 2.5 For data analysis what tools work well, and what still needs to be developed. 3.0 MISC ACTIVITIES ==================== 3.1 Presenting at conferences 1. InfosecNY presentation dealt with log analysis and utilized some of the honeynet data 2. SANS presenation on log mining used the compromise detection as well as other ideas developed off the honeynet research 3.2 Developing, testing or releasing code 1. Data analytics code was developed and refined (not ready for release yet) 3.3 Publication of papers None 3.4 Involvement in SotM challenges. 1. Ongoing work on the next SotM using the AWSTAT hack data. 3.5 Other 1. Steering commitee involvement 2. Paper reviewing 3. Data reporting to kanga 4.0 ORGANIZATIONAL ================== 4.1 Changes in your structure of your organization. None 5.0 LESSONS LEARNED =================== 5.1 What positive things can you share with the community, so they can replicate your success. Considering that this was a relatively uneventful half-year, I'd stress the importance of analysis tools to look at the volume of honeynet data: if you want to run a honeynet, you need good data analysis tools to get value even in the absence of a compromise 5.2 What mistakes can you share with the community, so they don't make the same mistakes. 1. Not deploying Sebek (due to software incompatibility) to get more detailed data 2. Not deploying Windows to catch botnets and possibly credit card abuse or even a phishing scam 6.0 FUTURE GOALS ================ 6.1 Plans/Goals for next six months 1. Migrate to a Honeywall-based infrastructure (currently homegrown) 2. Implement 1. Involvement with post-Track3 activities to build a global threat portal for prediction and advanced stat analysis of honeynet data 2. More data mining research on automated compromise discovery 3. Possibly more honeypots online