Honey Net

Analyzing the Clues

For analysis purposes, the admin disconnects the honeypot computer from the network and mounts the compromised hard disks on a separate machine. This step disables the rootkit because the system programs on the mounted disk are not used.

Some cautionary measures improve the results of the analysis. The logfiles recorded by the honeywall might not give a true representation of the sources the attacker used to upload software to the system. For this reason, it is a good idea to search for them on the honeypot itself. Additionally, the monitoring software might hide from the attacker on the honeypot, but if the attacker encrypts the network, some information is lost. This potential for the attacker to go underground makes it vital to trace the attacker's activities in order to initiate countermeasures as quickly as possible.

Manipulation of the filesystem on the compromised honeypot is evident. Forensic methods let the administrator restore deleted logfiles and malware programs, thus revealing how an attacker attempts to cover their traces on the machine and the changes to the filesystem. In this case, the web application vulnerability scanner logfiles finally reveal all the IP addresses the attacker attempted to target from the honeypot.

Proceed with Caution

Break-in studies that use honeypots are educational and can help prevent repeat attacks. However, honeypot operators could be breaking the law. Keep in mind that a honeypot has legal implications for the operator. Possible issues include aiding and abetting, data protection and liability for any damage caused by the honeypot.

Of course, make sure you tighten the honeynet to the best of your ability to avoid damage to any networks [10]. Operating a honeypot is not something you should do lightly. In fact, you need to monitor the system constantly to stay ahead of your clandestine guests.

Infos

  1. Roo: https://projects.honeynet.org/honeywall
  2. Honeynet Project, "Roo CDROM User's Manual": http://yum.honeynet.org/roo/manual
  3. Snort Inline: http://snort-inline.sourceforge.net
  4. POF (p0f): http://lcamtuf.coredump.cx/p0f.shtml
  5. Swatch: http://sourceforge.net/projects/swatch/
  6. Sebek: https://projects.honeynet.org/sebek/
  7. Current version of phpAds: http://sourceforge.net/projects/phpadsnew/
  8. Edward Balas and Camilo Viecco, "Towards a Third Generation Data Capture Architecture for Honeynets": http://old.honeynet.org/papers/individual/hflow.pdf
  9. PHP XML-RPC vulnerability: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2498
  10. Ryan Talabis, "A Primer on Honeynet Data Control Requirements": http://www.philippinehoneynet.org/index.php?option=com_docman&task=doc_download&gid=7&Itemid=29

Buy this article as PDF

Express-Checkout as PDF
Price $2.95
(incl. VAT)

Buy Linux Magazine

SINGLE ISSUES
 
SUBSCRIPTIONS
 
TABLET & SMARTPHONE APPS
Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

  • Security Intro
  • Charly's Column: Glastopf

    Good traps catch mice, and honeypots catch malicious scripts. Sys admin Charly resorts to a honeypot in this issue, which, although difficult to install, is easy to manage.

  • Backdoors

    Backdoors give attackers unrestricted access to a zombie system. If you plan to stop the bad guys from settling in, you’ll be interested in this analysis of the tools they might use for building a private entrance.

  • Sneaky New Linux Attack Discovered

    Innovative back door looks like normal SSH traffic.

  • Charly's Column

    At the Niederrhein University future admins implement spam defense mechanisms by attracting the attention of the Viagra Mafia. The results are pertinacious blacklists and expert knowledge of methods for combating the menace.

comments powered by Disqus

Direct Download

Read full article as PDF:

066-069_honeypots.pdf  (507.42 kB)

News