Page 2 of 4 FirstFirst 1234 LastLast
Results 11 to 20 of 32

Thread: Honeynet project status thread

  1. #11
    Senior Member streaker69's Avatar
    Join Date
    Jan 2010
    Location
    Virginville, BlueBall, Bird In Hand, Intercourse, Paradise, PA
    Posts
    3,535

    Default

    Quote Originally Posted by wyze View Post
    Well once again, I would research the legal implications first of running a honeynet so that you do not accidentally commit several felonies (assuming you are from the U.S. that is).
    One thing that I decided to do after watching that video is that I'm going to have a document drawn up to have put with my personal file that states in no uncertain terms that I'm allowed to monitor all inbound/outbound traffic on the network and have it signed by our Executive Director.

    I would recommend any other BoFH's that have the responsibility of monitoring traffic do the same thing.
    A third party security audit is the IT equivalent of a colonoscopy. It's long, intrusive, very uncomfortable, and when it's done, you'll have seen things you really didn't want to see, and you'll never forget that you've had one.

  2. #12
    My life is this forum Barry's Avatar
    Join Date
    Jan 2010
    Posts
    3,817

    Default

    Quote Originally Posted by streaker69 View Post
    One thing that I decided to do after watching that video is that I'm going to have a document drawn up to have put with my personal file that states in no uncertain terms that I'm allowed to monitor all inbound/outbound traffic on the network and have it signed by our Executive Director.

    I would recommend any other BoFH's that have the responsibility of monitoring traffic do the same thing.
    It was part of our AUP.
    Of course, if you really wanted to have some fun, go to Wal-Mart late at night and ask the greeter if they could help you find trashbags, roll of carpet, rope, quicklime, clorox and a shovel. See if they give you any strange looks. --Streaker69

  3. #13
    Senior Member streaker69's Avatar
    Join Date
    Jan 2010
    Location
    Virginville, BlueBall, Bird In Hand, Intercourse, Paradise, PA
    Posts
    3,535

    Default

    Quote Originally Posted by Barry View Post
    It was part of our AUP.
    AUP is one thing, but personally, I'd rather have a note in my file signed by the corner office.
    A third party security audit is the IT equivalent of a colonoscopy. It's long, intrusive, very uncomfortable, and when it's done, you'll have seen things you really didn't want to see, and you'll never forget that you've had one.

  4. #14
    Senior Member lund99's Avatar
    Join Date
    Feb 2010
    Posts
    142

    Default

    Quote Originally Posted by wyze View Post
    Well once again, I would research the legal implications first of running a honeynet so that you do not accidentally commit several felonies (assuming you are from the U.S. that is).
    I live in Norwy, but I really haven't thought of the legal aspects yet as I have been somewhat consumed with getting the entire thing done and running

    We have a state departement here which is dedicated to the legal issues related to the use of computer systems, and the storage of personal information.

    It also ensures that Norwegian businesses (and private persons, I suppose) are taking special precautions to protection of privacy when it comes to IT system that can contain personal information, be it a customer database or a video surveillance system.

    But now that you brought it up, I will most definitely contact them by mail to check whether or not they have an official standpoint when it comes to honeynets - and if I might be incriminating myself in some way by running a honeypot like I am right now.

    BTW, I will post a nice status update of my honeynet once I get home from work today - nothing too detailed yet as I am still learning the use of Honeywall and how to analyze data.

    I am also working on a basic HOWTO on creating a virtual honeynet which probably will be done in a couple of days and posted both here on this forum and on my site so that anyone interested can follow it to implement a virtual honeynet of their own.


    Just a quick question;
    What does AUP and BoFH mean?
    I obviously need to add a few abbreviations to my dictionary

  5. #15
    Jenkem Addict imported_wyze's Avatar
    Join Date
    Jul 2007
    Posts
    1,543

    Default

    • AUP = Acceptable Use Policy
    • BoFH = Bastard Operator from H377
    dd if=/dev/swc666 of=/dev/wyze

  6. #16
    Senior Member lund99's Avatar
    Join Date
    Feb 2010
    Posts
    142

    Default

    Quote Originally Posted by wyze View Post
    • AUP = Acceptable Use Policy
    • BoFH = Bastard Operator from H377

    Lol, thanks for the explanation wyze

  7. #17
    Senior Member streaker69's Avatar
    Join Date
    Jan 2010
    Location
    Virginville, BlueBall, Bird In Hand, Intercourse, Paradise, PA
    Posts
    3,535

    Default

    Quote Originally Posted by cormega View Post
    Lol, thanks for the explanation wyze
    If you're gonna be in the IT field, you have to learn how to be a proper BoFH.

    http://www.theregister.co.uk/odds/bofh/
    A third party security audit is the IT equivalent of a colonoscopy. It's long, intrusive, very uncomfortable, and when it's done, you'll have seen things you really didn't want to see, and you'll never forget that you've had one.

  8. #18
    Senior Member lund99's Avatar
    Join Date
    Feb 2010
    Posts
    142

    Default

    Quote Originally Posted by streaker69 View Post
    If you're gonna be in the IT field, you have to learn how to be a proper BoFH.

    http://www.theregister.co.uk/odds/bofh/
    I realize that I have a long way to go :P

    Hopefully I'm on the right track, though

  9. #19
    Senior Member lund99's Avatar
    Join Date
    Feb 2010
    Posts
    142

    Default

    OK, I've been away for the weekend and came back to discover that my honeynet lost its Internet connection Friday night :/

    This means that I don't have too much exiting stuff to report yet, most of the things I've registered in the IDS logs are a bunch of SQL worm attempts like this:

    Code:
     
    [**] [1:2004:7] MS-SQL Worm propagation attempt OUTBOUND [**]
     [Classification: Misc Attack] [Priority: 2] 
     08/11-01:58:53.294081 61.132.XX.XX:1211 -> 81.191.XX.XX:1434
    UDP TTL:117 TOS:0x28 ID:56527 IpLen:20 DgmLen:404
     Len: 376
     [Xref => http://vil.nai.com/vil/content/v_99992.htm][Xref => http://cgi.nessus.org/plugins/dump.php3?id=11214][Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=2002-0649][Xref => http://www.securityfocus.com/bid/5311][Xref => http://www.securityfocus.com/bid/5310]
    
     
    
    [**] [1:2050:9] MS-SQL version overflow attempt [**]
    [Classification: Misc activity] [Priority: 3] 
    08/11-01:58:53.294081 61.132.XX.XX:1211 -> 81.191.XX.XX:1434
    UDP TTL:117 TOS:0x28 ID:56527 IpLen:20 DgmLen:404
    Except for a couple of things which I haven't been able too figure out what is yet:

    Code:
    [**] [1:853:9] WEB-CGI wrap access [**]
    [Classification: Attempted Information Leak] [Priority: 2] 
    08/08-01:58:36.825855 81.191.XX.XX:1078 -> 194.19.40.XX.XX
    TCP TTL:128 TOS:0x0 ID:1234 IpLen:20 DgmLen:435 DF
     ***AP*** Seq: 0x69A84218  Ack: 0xC6CC65E3  Win: 0xFAF0  TcpLen: 20
    [Xref => http://cgi.nessus.org/plugins/dump.php3?id=10317][Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=1999-0149][Xref => http://www.securityfocus.com/bid/373][Xref => http://www.whitehats.com/info/IDS234]
    
     
    
     [**] [119:2:1] (http_inspect) DOUBLE DECODING ATTACK [**]
     08/08-01:58:37.005811 81.191.XX.XX:1079 -> 209.225.XX.101:80
     TCP TTL:128 TOS:0x0 ID:1350 IpLen:20 DgmLen:626 DF
     ***AP*** Seq: 0x743BD687  Ack: 0xD43850A1  Win: 0xFAF0  TcpLen: 20
     
     [**] [119:2:1] (http_inspect) DOUBLE DECODING ATTACK [**]
     08/08-01:58:37.331863 81.191.XX.XX:1085 -> 209.225.XX.103:80
     TCP TTL:128 TOS:0x0 ID:1581 IpLen:20 DgmLen:755 DF
     ***AP*** Seq: 0x3B1EA19  Ack: 0xCBE50FEA  Win: 0xFAF0  TcpLen: 20
    
     
    
    [**] [1:254:4] DNS SPOOF query response with TTL of 1 min. and no authority [**]
    [Classification: Potentially Bad Traffic] [Priority: 2] 
    08/08-01:58:40.626619 193.75.XX.XX:53 -> 81.191.XX.XX:63481
    UDP TTL:62 TOS:0x0 ID:31932 IpLen:20 DgmLen:77
    Len: 49
    
     
    [**] [1:254:4] DNS SPOOF query response with TTL of 1 min. and no authority [**]
    [Classification: Potentially Bad Traffic] [Priority: 2] 
    08/08-01:58:40.638668 193.75.XX.XX:53 -> 81.191.XX.XX:64588
    UDP TTL:62 TOS:0x0 ID:31998 IpLen:20 DgmLen:77
    Len: 49
    
     
    
    [**] [1:2201:5] WEB-CGI download.cgi access [**]
    [Classification: access to a potentially vulnerable web application] [Priority: 2] 
    08/08-01:58:42.831535 81.191.XX.XX:1109 -> 192.150.XX.XX:80
    TCP TTL:128 TOS:0x0 ID:2126 IpLen:20 DgmLen:459 DF
     ***AP*** Seq: 0x2952FB1C  Ack: 0x753F6338  Win: 0xF9D1  TcpLen: 20
    [Xref => http://cgi.nessus.org/plugins/dump.php3?id=11748][Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=1999-1377][Xref => http://www.securityfocus.com/bid/4579]
    Some of the things in the above output is kinda self explanatory, but there are a couple of things that have confused me a bit.

    For instance; the DOUBLE DECODING attack which came from the 209.225.XX.101 to begin with, also came from 209.225.XX.102 and 209.225.XX.103 after a little while.

    Does anyone know what this means? I was thinking bot net traffic but that is just speculation from my part, I still have a lot to learn when it comes to the analyzing IDS logs etc

    Finally, the DNS Spoof Query response alerts, I'm not sure why they appear since they come from a legit DNS server I use. Might this just be a misconfiguration somewhere which makes Snort log these events as a possible incident?

    As you probably understand, the honeypot is placed on the 81.191.XX.XX net, I've also chosen to censor the addresses of the machines which have initiated this traffic.

    I haven't decided how to handle this part yet so for the moment I will censor these addresses too ensure that no-one will target these machines for any attacks etc.

    Thats it for the moment, If anyone could help me to analyze the last output and tell me what they can red from it, that would be great!

  10. #20
    Jenkem Addict imported_wyze's Avatar
    Join Date
    Jul 2007
    Posts
    1,543

    Default

    Those DNS spoofs are outbound, in conjuction with the outbound worm propagation attempt, I would say that your machine has become part of a fast-flux or some other similar kind of round robin network.
    dd if=/dev/swc666 of=/dev/wyze

Page 2 of 4 FirstFirst 1234 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •