Thanks for your reply.
I did a quick read up on fast flux now and I got the basic idea but does this now mean that my honeypot can be uset as a proxy server for malware attacks?
Also, I guess that means that the worm propogation was in fact successful?
I noticed it now, after you said it that these events occurred at the exact same time
Yeah, I've been thinking about it.
My first move was to implement stricter data control. The number of allowed outgoing connections from my machine has been cut by 50% compared to the default honeywall setting so it won't be able to do too much damage.
I just want to check what types of outgoing connections might be initated for the next hour before I lock down the computer completely - because up until now it has been very quiet to say the least.
Too bad it ended up being a Worm that got the system though :/ I really wanted some more exicting action on the box
But, all right... you live & you learn If it turns out to be compromised by a worm and part of a fast flux net then I will definitely shut it down and start the project over again - with more honeypots and bigger ambitions
I hear that.. if you can manage Snort_Inline to restrict it outbound, I'd bet you'll find some interesting things for the time that it is in active state. You could probably dissect the tool set and learn more about it (I've even heard that many of even the recent malware / worms / etc still have a lot of comments in the code
dd if=/dev/swc666 of=/dev/wyze
Yep, My honeynet is set up with Honeywall wich also comes with snort_inline so this is what is used for data control and that's how I limited the outbound connections.
Dissecting the tool set might be a bit too advanced for me as of this moment I'm just trying to get familiar with the basics and daily running of a honeynet as well as trying to get a hang of how to analyze the captured data but it definitely sounded like a cool thing to do!
But I did a rookie mistake when launching this honeynet, I should've run a forensic script to gather data about the system as it was before I put it online. If I had done that, I could run it again now too check which files etc has been altered/added so trying to find the code of the malware will be to big of a challenge for me right now.
I will keep a close eye on it for the remainder of the day and I guess I'll just have to start over again tomorrow if my honeypot is really trying to launch a malware attack / assist a botnet in some way.
Hmm, I've found a forum thread on snort.org which describes the same issue of a lot of these SQL propagation events.
It seems these can be caused by a misconfiguration on the honeywall as well so I will check this out before I do something drastic. I really hope that this is the case and that I can carry on with this little honeynet because I have som big plans for my next net and need some experience before moving furtherIf the rule contains "OUTBOUND" that means that, assuming your HOME_NET and EXTERNAL_NET are set properly Snort is catching a virus propogating OUTBOUND from your network (you infecting other people.)
Also, here's a link with info about the DNS spoof alert from snort: http://www.snort.org/pub-bin/sigs.cgi?sid=254
Just posted a new entry on my blog [ ] The HoneyProject with my current evaluation of the alerts I have received from snort.
Sorry if it seems like I'm blatantly promoting my blog here That is not my intention, I just feel like its unnecessary to post every thing twice so I will continue to post what I consider place what I consider to be my most important posts both here and on my blog but all the small updates will mainly be put on my blog.
Just a quick update.
I've been working so much overtime lately that I have not been able to follow up my project as much as I would like.
Hopefully I wil have a new virtual honeynet up&running by the weekend and this one will be a little more professional in the set up.
I am also working on a complete HOWTO on setting up & managing virtual honeynets but that will definitely take a while - probably won't be done until december, I'm afraid..
This is some really cool stuff. I would like to run a setup like this sometime when I can find the time. I'm sure you have learned tons just going through the process of getting everything working and doing all of that research. I like how you have explained everything in an easy to understand way. Just a thought maybe it would be cool to get the system running again and invite some people to actually try and hack the box. Then you could communicate with them and see what some different attacks actually look like. Then when you have an uninvited intruder it may be easier to decipher the logged data and see what they were up to.
wow, thanks for the reply and I'm truly sorry for the lack of updates on this project.
It has been more or less dead since my 3rd install, and yes I have learned a lot but currently I have so much work to do and all the overtime is just killing all my enthusiasm for sitting in front of a computer in my spare time.
hopefully, this will soon pass and I can get back to working on this project again.
nice to see that someone finds it interesting too
keep checking in on this thread once in a while and I will start updating it as soon as I get some more time to experiment