Domain: honeyd.org
Stories and comments across the archive that link to honeyd.org.
Stories · 2
-
Virtual Honeypots
rsiles writes "Honeynet solutions were seen just as a research technology a couple of years ago. It is not the case anymore. Due to the inherent constraints and limitations of the current and widely deployed intrusion detection solutions, like IDS/IPS and antivirus, it is time to extended our detection arsenal and capabilities with new tools: virtual honeypots. Do not get confused about the book title, specially about the "virtual" term. The main reason to mention virtual honeypots, although the book covers all kind of honeynet/honeypot technologies, is because during the last few years virtualization has been a key element in the deployment of honeynets. It has offered us a significant cost reduction, more flexibility, reusability and multiple benefits. The main drawback of this solution is the detection of virtual environments by some malware specimens." Read below for the rest of Raul's review. Virtual Honeypots: From Botnet Tracking to Intrusion Detection author Niels Provos and Thorsten Holz pages 440 publisher Addison-Wesley Professional rating THE current reference about honeynet technologies and solutions. reviewer Raul Siles ISBN 0321336321 summary improve your capabilities with easy to deploy virtual honeypot solutions The detection of honeypots has always been one of the main concerns in the honeynet community, because if the attacker can identify them, they are useless. For this reason, one of the chapters is just focused on providing some light tips and tricks about what an adversary can really accomplish. In fact, we have not seen lots of real-world incidents where the attacker actively checks the existence of honeynet setups.
The first chapter is a very brief introduction to honeynet technologies and basic tools. You can jump through it if you are not new to this field. Then, the book covers the main two honeypot types: high and low interaction. The high interaction section provides details about the tools to virtualize your honeypots: VMware, UML, or more specific solutions, such as Argos. The low interaction section provides details about some the most relevant honeypot types to cover lots of detection scenarios: worms, traditional server attacks, Google Hacking, Web-based attacks, etc. It is a wide overview that will give you lot of ideas for new deployments.
The whole book has been cooked with a how-to mentality , and it explains in detail how to install and configure the different tools and software elements covered. Additionally, it provides guidelines, best practices, and analysis recommendations for each tool based on the authors experience. However, the how to portions take into account that most of the solutions are Linux-based, and the installation and setup process will vary based on the tool version and the Linux distribution you are using (library dependencies, etc). In any case, the step by step guides are very useful as a general setup reference.
From my perspective, the most valuable part of the book is chapters 4 to 6. The authors, Niels Provos and Throsten Holz, are the lead developers/architects for honeyd (chapter 4 and 5) and nephentes (chapter 6), respectively. These two are the most famous and advanced low-interaction server-based honeypot and malware honeypot. They know what they are talking about, and you cannot find a better reference out there for these two tools. The book is an excellent guide, covering the design principles and innovative deployment ideas, to all kinds of configuration options and possibilities, including limitations on real-world scenarios. Chapter 6 is complemented with other less popular malware-based honeypots (except for Honeytrap).
The book includes some extra material covering academic and research hybrid solutions still in their early stages, which can give you and idea of where these technologies are evolving to and the major challenges we are facing now. This pretty much theoretical content is well balanced with the case studies chapter, where real incidents involving different honeypot types are presented. These are always a fun read and a way of getting experience and learn how to deal with intrusions.
Finally, one of the main expansion areas we are involved today is the creation of new client-based honeypot technologies. This book section (highly recommended) does a great job introducing multiple high and low interaction honeyclients currently available, their benefits and drawbacks (chapter 7). This information is perfectly complemented by the last two chapters, focused on tracking botnets and analyzing malware with sandbox environments. Once a client is compromised, it typically becomes a member of a botnet, and for easy and quick categorization, we start by performing a malware analysis of the specimens. I recommend you to add all this knowledge to your incident handling and response capabilities.
Something I would have liked to see in the book is a section about a fully virtualized honeynet environment, showing how using VMware, you can build up a virtual Honeywall (just slightly mentioned on chapter 2) and different honeypots, creating a complete, cheap, mobile and multi-purpose virtual honeynet infrastructure. Also, we receive multiple questions related to this kind of setup in the Honeynet Project mailing lists, because all the previous whitepapers are obsoleted now. I've been deploying these type of solutions for fun and professionally during the last few years and I strongly recommend you to start using them. You won't be disappointed about how much you can learn of what is going on in your networks and systems, and this book is the best starting point.
If you have any relationship with the intrusion detection, incident handling and forensics, threat analysis, or SOC and CERT security side of things, definitely this book is for you. Go through it and improve your capabilities with easy to deploy virtual honeypot solutions. You just need a (not so new) computer, virtualization software, and some time.
I have been working with honeynets during the last 5 years. We founded the Spanish Honeynet Project on 2004, and almost at the same time we became part of The Honeynet Project and released the Scan of the Month 32. The main honeynet/pot book reference till last year was the book published by the Honeynet Project. As this is a rapidly evolving field, definitely it has been replaced by this book, written by two project members.
You can purchase Virtual Honeypots: From Botnet Tracking to Intrusion Detection from amazon.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page. -
Slashback: Matrix, Terminology, Topology
Slashback is back from a Thanksgiving hiatus with a bigger-than-usual collection of updates, corrections and followups to previous Slashdot stories, including pretty maps of the Internet, spammers' OS choices, stupidity in the wild, and more. Read on for the details. Of course, Red Hat didn't claim to be the first ... cmeyer writes in response to the news that Red Hat is expected to attain Common Criteria certification. "Linux achieved the first Common Criteria certification back in the beginning of August. It was a joint effort of IBM and SUSE." He points to this August Slashdot posting about the news and to a press release on SUSE's site.Well, it's robust, stable and handy for networking tasks ... Linux and Unix users may be justifiably smug about our machines' resistance to viruses and trogans (including ones that send spam), since most of these things are aimed at Microsoft Windows. Maybe it should be no surprise that spammers like Linux, too:
Niels Provos writes "You might remember Honeyd? I have been using it since June to capture spam emails in an attempt to better understand how spammers operate. A recent feature in Honeyd is passive fingerprinting which allows Honeyd to passively identify the operating system that contacts it. For spammers, it turns out that about 43% seem to be running Linux. And mostly Unix, Windows ranks at around 0.7%. The unknown fraction is 52%, so there might be surprises lurking there."
Apple products must be ripened before consumption. Ipodlounge.com editor Dennis Lloyd was one of several readers to note that, rather than the November date named in the recent 2-year iPod retrospective in the New York Times, the device came out just a bit earlier. "The iPod's anniversary was in October ;) The iPod was officially launched on Oct. 23, 2001. The NYT article is incorrect."
May the tide be with you. Doc Searls writes: "Thought I'd direct your attention to the first half of a transcription of the talk Linus gave on the September Geek Cruise that got Slashdotted a few weeks ago. Can't find the link to the Slashdot item, but as i recall it didn't have the benefit of a real transcription." (Here's the Slashdot post about the cruise.) "This one is not only a full transcription (by yours truly, all disclaimers apply), but features pix of his slides and demos as well."
Searls also has up the second part: "That's the Q&A, which is even longer than the prepared part of the talk," as well as the third: "The third part is a transcription of a talk Linus and others gave to the Victoria Linux Users Group. Shorter than the first two."
Searls' three-part report on the cruise itself ran in Linux Journal.
This way to the Egress! Rick Chapman, author of the recently reviewed In Search of Stupidity , writes to point out that book excerpts are available at insearchofstupdity.com, along with some of the book's illustrations.
"Also, I recently was interviewed live on a local CT business show and I've had the session digitized and am mounting on the site today. It runs about 45 minutes and I discuss a lot of the stuff in the book as well as other issues revolving around software marketing and development. ... I have a lot of samples of really bad things I brought to the taping and I think you'll get a kick out of the session."
They should sell nice prints to buy bandwidth. An anonymous reader writes "From the New Scientist article: A project to create a comprehensive graphical representation of the Internet in just one day and using only a single computer has already produced some eye-catching images."
Back pedal, back pedal, baker's man, cover that label with tape if you can. Mr. Slippery writes "According to this Yahoo! News story, L.A. County did not ban the use of 'master' and 'slave' in labeling, but made more of a polite request to vendors. A subtle but important distinction.
'"I do understand that this term has been an industry standard for years and years and this is nothing more than a plea to vendors to see what they can do," said Joe Sandoval, division manager of purchasing and contract services. "It appears that some folks have taken this a little too literally."' (As, perhaps, did those who got offended in the first place...)"
The original memo called Master and Slave labels "not acceptable" -- how non-literally can that be taken? -- and as further news stories have reported, was prompted by an employee's workplace discrimination complaint against the city. That sounds to me like more than a polite request. At least the city has found that a little tape is enough to make the world safe from misinterpreted words.
I bet Bill is a better actor than Keanu. Karma Sucks writes "After some embarrassing PR backlash it seems as if Microsoft is clamping down on distribution of pictures or videos related to the Matrix Spoof that featured Linux and Windows at COMDEX. Even more interesting are the reports that Microsoft is systematically scouting Open Source desktop technology."
And this is what percentage of the industry's profits? dlh writes "Boston.com is reporting that a federal judge Thursday approved a $143 million settlement of a lawsuit that accused major record companies and large music retailers of conspiring to set minimum music prices."
Time to get a new watch. Krellis writes "DynDNS.org, a major dynamic DNS provider, has announced that they will shut off access to any customers using the Linksys WRT54G wireless router to update their service on December 8th unless the router is patched. See the story on ExtremeTech and the DynDNS Press Release for more details. Updated firmware can be downloaded from Linksys."