I NDEX...

429

I

N D E X

Note: Page numbers followed by

f

and

t

indicate figures and tables, respectively.

A

ACID, for data storage, 298, 336, 336

f

Active countermeasures, risk in using, 136–138

Activity capture.

See

Data capture

adb(1)

, for jail monitoring, 190Address Resolution Protocol (ARP), for

MAC identifiers, 151–152, 152

f

ADMmutate, 61, 274–275A

ggressive

character, in Specter behavior settings, 114, 121–122, 123

f

Alert(s)by Alert Mail, 130–131, 131

f

archiving, 314–315in BackOfficer Friendly, 100–101, 100

f,

101

f

reviewing, 107, 107

f

saving, 101–102, 107, 108

f,

399–405

vs.

Specter, 113value of, 92–93

critical content of, 311, 312

f

in data control, 248–249, 249

f

in detection, 310, 352–353, 353

f

from firewalls, 354, 354

f

in honeynets, 248–249, 249

f

logging, 350–352in GenI honeynets

from firewalls, 248–249, 249

f

from Intrusion Detection Systems, 251–252

in high-interaction Honeypots, 326–327

in Honeyd, 164–165in honeynets, 248–249, 249

f,

364, 423–427 (

See also

GenI honeynets)in Honeypots goals, 343from IDS gateway, 266–267, 267

f

from Intrusion Detection Systems, 222–223, 251–252

from log server, 352, 363logging, 350–352in maintenance, 310in ManTrap, 215–218, 216

f

Spitzner.book Page 429 Sunday, August 18, 2002 9:44 PM

430

I

N D E X

Alert(s)

continued

in ManTrap cages, 209–210, 209

f

misconfiguration and, 284–285for outbound traffic, 248–249, 249

f

prioritizing, 312–314, 313

f,

315

f

redundancy in, 310–311reliability of, 310–311in research Honeypots, 310in response Honeypots, 310, 353reviewing, 107, 107

f

saving, 101–102, 107, 108

f,

399–405by Short Mail, 129, 130

f

simplicity of, 310in Specter

by Alert Mail, 130–131, 131

f

configuration of, 126–127by Short Mail, 129, 130

f

value of, 113Alert Mail, in Specter, 130, 131

f

Al-Qaeda, hacking threats and, 28Ann Arbor Networks, blackhole

monitoring by, 144Application(s), in ManTrap, 196,

199–200Application layer

data capture at, in ManTrap, 220–221emulation of, in Honeyd, 156–157, 156

f

purpose of, 148

f,

149Application logs

data aggregation with, 61for information gathering, in Specter,

133in jails, 189

Arkin, Ofir, 334ARP (Address Resolution Protocol), for

MAC identifiers, 151–152, 152

f

ARP proxy, in Honeyd, 153–154, 154

f,

159ARP spoofing

definition of, 148

in Honeyd, 152–153risk in, 165

ARP table, 150–152, 150

f

Arpd utility, 148, 152, 162Attack(s)

on BackOfficer Friendly, 105–106, 106

f

on detection Honeypots, 357–358on GenI honeynets, example of,

265–274, 273

f

on honeynets, analysis of, 365–366information sharing after, 236–237against log servers, 253modifying, 259motives for, 27–29, 69

netcat

utility in, 331on networks, 359, 360

f

on response Honeypots, 356–357scripts for, 366steps in, 14, 15throttling, 259

Attackers.

See

Hacker(s)identifying, with file recovery, 221–222IRC used by, 1–2learning about, 8luring

vs.

capturing, 44motives of, 27–29, 69privacy protection for, 373, 376skill levels of, 11–12, 14, 75–76, 269threats from, 12–13tracking, 34–35, 64–65traditional defense against, 4types of, 11–12

Authentication, 56, 152Automated tools.

See

Auto-rootersAuto-rooters.

See also

Luckrootcapture of, 69, 361detection of, port monitors for, 170–171evolution of, studying, 234–235FTP attack with, 365


431

I

N D E X

interchangeability in, 18–19

vs.

mass-rooters, 19method of, 15–16randomness of, 16–17risk posed by, 29

B

Back Orifice, 88–90, 89

f

Backdoors, rootkits for creating, 2BackOfficer Friendly (BOF)

advantages and disadvantages of, 103

t

alerts in, 100–101, 100

f,

101

f

reviewing, 107, 107

f

saving, 101–102, 107, 108

f,

399–405

vs.

Specter, 113attack on, 105–106, 106

f

configuration of, 95–98, 96

f,

97

f,

104, 104

f

description of, 83example using, 74–75, 74

f

fingerprinting of, 102information gathering in, 100–101installation of, 95, 96

f,

104logging in, 101–102, 399–405management of, 98–99operation of, 93–95original use of, 90–91overview of, 87–91release of, 38and remote management, 98–99for response, 279risk associated with, 102service emulation in, 98

vs.

Specter, 92–93, 110tutorial for, 103–108value of, 91–93

Banners, consent, 376–379, 378

f

bash, modified version of, for remote data capture, 254, 272–273, 273

f

BIND8 service, jails for, 187–188Blackhat(s), advanced

definition of, 12meritocratic nature of, 28studying, with research Honeypots,

395–396targets of, 25–27tools of, 25–26, 68trail of, 25–26

Blackhat(s), low-level, 11–12, 14Blackholing

definition of, 144–145deployment of, 163in Honeyd, 144–147intent of, 145risk in, 165

Block option, in Honeyd configuration, 160

BOF.

See

BackOfficer FriendlyBO2K Trojan, in Specter configuration,

125BOTs, 1–2, 27Bragging rights, as motive for attack, 28BUTTplugs, for Back Orifice, 88–90

C

CAIDA (Cooperative Association for Internet Data Analysis), blackhole monitoring analysis by, 145

CDE Subprocess Control Service (dtspcd), exploit for, 39

CERT, statistics released by, 13CGM (Content Generation Module), in

ManTrap, 207–208Character, in Specter, configuration of,

121–123, 122

f,

123

f

chroot.

See

Jail(s)chroot command, for ManTrap cage

customization, 210, 211

f


432

I

N D E X

Chuvakin, Anton, on jail breaking, 190–191CodeRed II worm

capture and analysis of, 39, 173–174release of, 21–22, 23

f

CodeRed worm, 19–21, 21

f

Commercial Honeypots

vs.

homemade Honeypots, 344, 345selection of, 280, 282–283, 361

increase in, 390–391Compromised systems

and Back Orifice, 90as currency, 28data control in, 350evidence gathered from, 65–66forensic analysis of, 332liability issues with, 381–383monitoring, real-time, 364patching, 66

Configurationand alerts, 284–285of BackOfficer Friendly, 95–98, 96

f,

97

f,

104, 104

f

of high-interaction Honeypots, 82of Honeyd, 158–162, 159

f

of jails, 187–188by level of interaction, 77, 77

f

of low-interaction Honeypots, 78of ManTrap, 205–211of medium-interaction Honeypots, 81of Specter, 119, 120

f

testing, scripts for, 161, 161

f

Consent banners, 376–379, 378

f

Consent, federal law exceptions for, 376–379

Constitution, U.S., privacy under, 372–374

Content Generation Module (CGM), in ManTrap, 207–208

Contraband, Honeypot storage of, 382–383

Cooperative Association for Internet Data Analysis (CAIDA), blackhole monitoring analysis by, 145

Corporate espionage, as motive for attack, 28

Countermeasures, active, risk in using, 137–138

CPU cycles, as motive for attack, 28Credit cards, as motive for attack, 28

The Cuckoo's Egg

(Stoll), 34–35Cult of the Dead Cow, Back Orifice

released by, 88CyberCop Sting, 5, 36–37

D

Datastorage of, 241, 250, 298, 336, 336

f

transactional, under Wiretap Act and Pen/Trap statute, 375

value of, in Honeypots, 49–51Data aggregation.

See also

Data capturefor data analysis, 335–336database for, 335definition of, 59management of, 295–298problem of, 61production Honeypots and, 62, 63value in, 296

Data analysisdata aggregation for, 335–336for detection Honeypots, 358with high-interaction Honeypots,

325in Honeypot maintenance, 320keystroke capture for, 329with low-interaction Honeypots,

320–325, 321

f,

323

f,

324

f

passive, 332–335, 334

f,

335

f

preparation for, in deployment, 337

Spitzner.book 32 Sunday, August 18, 2002 9:44 PM

433

I

N D E X

Data capture.

See also

Keystroke capture; Log(s)

archiving, 241definition of, 416and deployment, 263–264, 362and encryption, 198, 202, 255–256, 260firewalls for, 250, 251

f,

363in GenI honeynets, 255–256in GenII honeynets, 260in honeynets

definition of, 239and deployment, 263–264, 362and encryption, 255–256, 260firewalls for, 250, 251

f,

363Intrusion Detection Systems for,

250–253, 252

f

log server for, 253, 266, 266

f,

273purpose of, 240–241remote, 253–254, 272–273, 273

f

requirements for, 241Snort for, 266storage of, 241, 250

in Honeypots, 291–295, 352–356Intrusion Detection Systems for,

250–253, 252

f

IP addresses

vs.

resolved names in, 295kernel in, 201–202, 260log server for

in honeynets, 253, 266, 266

f,

273for Honeypots, 352–356

in ManTrapat application layer, 220–221and encryption, 198, 202kernel in, 201–202reviewing, 217–218, 219

f

value of, 198maximizing, 291–293redundancy in, 293–295remote, 253–254, 272–273, 273

f

requirements for, 241, 417–418reviewing, 217–218, 219

fSnort for, 266standards for, 419storage of, 241, 250, 298

ECPA and, 374Data collection

definition of, 416with GenII honeynets, 260–261with honeynets

definition of, 239and deployment, 264elements of, 242purpose of, 241–242

integrity in, 261legal issues with, 375–376requirements for, 418standardized format for, 261standards for, 419–421

Data controlalerts for, 248–249, 249fautomating, 240bypassing, 274–275for compromised systems, 350definition of, 416and deployment, 263–264, 362and due diligence, 382firewalls for, 363in GenI honeynets, 243–249, 250f, 255in GenII honeynets, 256–260in honeynets (See also Outbound

traffic)alerts for, 248–249, 249fautomating, 240bypassing, 274–275definition of, 239and deployment, 263–264, 362firewalls for, 363layers of, 248


434

IN D E X

Data control continuedpurpose of, 239–240requirements for, 240

Honeypot location and, 290–291requirements for, 240, 416–417in response procedures, 319for risk mitigation, 304–305and updating, 365

Databasefor data aggregation, 335for log storage, 298

Deceptionwith BackOfficer Friendly, 91detection of Honeypots in, by

attackers, 305–306example of, 57–58with honeynets, value of, 231Honeypots for, 278jails for, 184–185with ManTrap, value in, 195–196for prevention, 56–57with Specter, 112, 114

Deception Toolkit (DTK), 5, 36Demarc, for data storage, 298Demilitarized Zone. See DMZDenial of Service (DoS), as motive for

attack, 27Deployment

data analysis preparation in, 337effectiveness and, 348of high-interaction Honeypots, 82of Honeyd, 162–163of honeynets, 263–265

for research, 362–364, 363fof jails, 188by level of interaction, 77, 77flocations for, 286of low-interaction Honeypots, 78of ManTrap, 211–214

of medium-interaction Honeypots, 81of Specter, 127

Detection. See also Alert(s)alerts in, 310, 352–353, 353fin BackOfficer Friendly, 91–93, 92fin Honeyd, and service emulation, 143with honeynets, value of, 231of Honeypots, 305–306, 349–350Honeypots for, 278

alerts from, 352–353, 353fattack on, 357–358deployment of, 346, 347feffectiveness of, optimizing, 348–349goal of, 343location of, 287f, 288–289response procedure for, 317, 355,

357–358Intrusion Detection System (IDS) for, 59jails for, 185level of interaction and, 344with low-interaction Honeypots, 78with ManTrap, value in, 196–197with port monitors, 170–172, 172fproblems in (See Data aggregation;

False negatives; False positives)production Honeypots and, 61–63, 63fpurpose of, 58

Deterrencewith BackOfficer Friendly, 91detection of Honeypots in, by

attackers, 305–306Honeypots for, 278with ManTrap, value in, 195–196for prevention, 56–57with Specter, 112, 114–115

Dittrich, David, 370DMZ (Demilitarized Zone)

incident response in, 66, 67fmonitoring, 42, 43f, 62–63, 63f


435

IN D E X

DNS (Domain Name Service). See also BIND8 service

jails for, 182–183, 186–187in Specter, 125, 136

Domain names, for honeynets, 262–263DoS (Denial of Service), as motive for

attack, 27DTK (Deception Toolkit), 5, 36dtspcd (CDE Subprocess Control

Service), exploit for, 39

EEarly warning mechanisms

data analysis in, 335honeynets as, 235research Honeypots as, 69, 394

Electronic Communications Privacy Act (ECPA), 372, 374

Emulationof application layer, in Honeyd,

156–157, 156fof IP addresses, in Honeyd

ARP proxy for, 153–154, 154foperation of, 146overview of, 142value of, 144–145

of IP stackin Honeyd, 143, 156–157, 156f, 159and Specter, 118–119, 138

of networks, 37of operating systems

in Honeyd, 143, 155–157, 156fin medium-interaction Honeypot, 80in Specter, 111–112, 115–118, 116f,

117f, 120–121, 138of services

in BackOfficer Friendly, 98, 102in Honeyd, 156–157, 156f

configuration of, 159–160

customization of, 142and detection, 143operation of, 145–146for response, 154–155value of, 143–144

with port monitors, 180–181in Specter, 110–111, 111f, 123–124, 125f

of vulnerabilities, in Specter, 110, 111f, 114

EnCase, for forensic analysis, 332Encryption

activity capture and, in ManTrap, 198, 202

data capture andin GenII honeynets, 260and log servers, 273

and network captures, 272for prevention, 56use of, 29

Entrapment, legal issues with, 380–381Ethereal, for network analysis, 331–332,

333fEthernet, in link layer, 149–151"An Evening with Berferd in Which a

Cracker Is Lured, Endured, and Studied" (Cheswick), 34, 35–36, 184

Event Log, for information gathering, in Specter, 134, 134f

Evidence, from Honeypots, 64–66Exploits

automatic, 15–16capture of

port monitors in, 172–173unknown, 39, 69, 232–233, 233f,

234f, 235development of, 14downloading, via FTP, 331interchangeability of, in auto-rooters,

18–19


436

IN D E X

Exploits continuedlaunching, 14point-and-click, 15, 16funknown

capture of, 39, 69, 232–233, 233f, 234f, 235

identification of, 396

FFailing character, in Specter behavior

settings, 122False negatives

definition of, 59eliminating, 396problem of, 60–61production Honeypots and, 61–64reduction of, with IDS integration, 392

False positivesdefinition of, 59eliminating, 396in honeynets, 235problem of, 59–60production Honeypots and, 61, 62–63reduction of, 127, 392

Federal Aviation Administration (FAA), information sharing by, 236–237

Federal Wiretap Act (Title III), privacy under, 372, 374–380

File recoveryin Ethereal, 332in honeynets, 271–272in ManTrap, 221–222

File system, in ManTrap, 202–204, 203fFile Transfer Protocol. See FTPFINGER, in Specter

configuration of, 124for information gathering, 136

Fingerprintingof BackOfficer Friendly, 102

of Honeyd, 155–156of honeynets, 255of Honeypots, 54–55ICMP for, 118, 333–335, 335fmitigating, 305–307passive

for data analysis, 332–335, 334f, 335fin Honeypot appliances, 390

of Specter, 112, 118–119Firewall(s)

adoption of technology, 388–389alerts from, 354, 354f

in honeynets, 248–249, 249flogging, 350–352

for data capture, 250, 251f, 294–295, 294f, 363

for data control, 248–249, 249f, 265, 350, 363

failure of, 58for GenI honeynets, 244–245GUI for, 389, 390fin high-interaction Honeypots, 82for Honeyd, 163for honeynets, 244–245, 362, 363, 365and Honeypot location, 286integration of, with Honeypots, 392internal connections and, 359and Intrusion Detection Systems,

combining, 256maintaining, 264for ManTrap, 225–226misconfiguration of, 390for outbound traffic, 6for prevention, 56resource exhaustion and, 51return on investment in, 52rulebase for

for compromised systems, 350for honeynets, 246–247, 247f


437

IN D E X

misconfiguration of, 390reviewing, 359

use of, 40–41FireWall-1, 246, 389, 390fForensic analysis, of compromised

systems, 332Fourth Amendment, 372–374FTP (File Transfer Protocol)

auto-rooter attack against, 365in BackOfficer Friendly, 94, 97in Specter, configuration of, 110, 111f,

123for tools download, 331

FTP banner, in Specter, for information gathering, 136

Ggdb(1), for jail monitoring, 190GenI honeynets

alerts in, 248–249, 249f, 251–252architecture of, 243capabilities of, 243data capture in, 255–256data control in, 243–249, 250f, 255deployment of, 265, 266fexample attack on, 265–274, 273ffirewalls for, 244–245, 265, 266f

rulebase for, 246–247, 247fvs. GenII honeynets, 261, 362outbound traffic in, 244–248overview of, 242–243risk in, 255routers for, 248

GenII honeynetsdata capture in, 260data collection in, 260–261data control in, 256–260vs. GenI honeynets, 261, 362honeynet sensor in, 256–257

Intrusion Detection Systems gateways in, 257–259

network diagram of, 258foverview of, 256–261in production networks, 257, 258fresponse in, 259

GFORCE, hacking threats from, 28Granick, Jennifer, 370Graphical user interfaces (GUI), and ease

of use, 389–390, 390fGuest books, link from, 348–349

HHacked computers. See Compromised

systemsHacker(s). See Attackersh4x0r, 3, 76Hacking. See Attack(s)Hard drive, wiping, for deployment, 337Hardware requirements, for ManTrap,

206High-interaction Honeypots

alerts in, 326–327capabilities of, 75–76, 76f, 81–82data analysis with, 325definition of, 75due diligence for, 382example of, 325–326, 326fvs. low-interaction Honeypots, 344, 345privacy issues with, 371risk from, mitigating, 350

Hogwash IDS gateway, 259–260Home networks, scanning of, statistics

for, 13Homemade Honeypots. See also Jail; Port

monitorsadvantages of using, 167vs. commercial Honeypots, 344, 345

selection of, 280, 282–283, 361


438

IN D E X

Homemade Honeypots. continueddescription of, 84interfaces of, 282overview of, 168–169uses of, 168variety of, 168

Honey cards, use of, 395–396Honeyd

advantages and disadvantages of, 166falerts in, 164–165ARP proxy in, 153–154, 154f, 159ARP spoofing in, 152–153ARP table in, 152, 153blackholing in, 144–147configuration of, 158–162, 159fdeployment of, 162–163description of, 84fingerprinting of, 155–156firewalls for, 163information gathering with, 163–165initialization of, 157–158installation of, 157IP emulation in


IP monitoring inoperation of, 145–146overview of, 142value of, 144

IP stack emulation inconfiguration of, 159overview of, 143

level of interaction of, modification of, 143–144

logging with, 163, 164fmaintenance of, 162–163misconfiguration of, and risk, 165

network traffic forwarded to, 146–147, 147f (See also ARP spoofing)

operating systems emulation in, 143, 155

operation of, 145–157overview of, 142–143proxying in, 159f, 161–162response in, 154–157risk in using, 165scripts in, 160–161, 161fservice emulation in

configuration of, 159–160customization of, 142operation of, 145–146for response, 154–155scripts for, 160–161value of, 143–144

and sniffers, 164value of, 143–145virtual networks in, 162

Honeynet(s). See also GenI honeynets; GenII honeynets

activity on, generating, 263advantages and disadvantages of, 265,

275talerts in, 423–427as architecture, 238–239attacks on, analysis of, 365–366complexity of, risk from, 274comprehensiveness of, 237–238definitions for, 416deployment of, 263–265, 266f

for research, 362–364, 363fdescription of, 85–86distributed, 392–393domain names for, 262–263as early warning system, 235example attack on, 265–274, 273fexpected activity captured by, 274–275


439

IN D E X

false positives in, 235flexibility of, 265history of, 229–230information gathering with, 268level of interaction of, 229, 274maintenance of, 263–265, 364–365management of, networks for, 362monitoring, 264–265operation of, 238–242overview of, 229–231prevention with, value of, 231as production Honeypots, value of, 231production systems in, 229requirements for, 416–418as research Honeypots, 231–232, 278,

362deployment of, 362–364, 363f

for response development, 236–238response procedures for, 364risks with, 274–275standards for, 419–421as targets of choice, 262–263as test beds, 238, 364tool evolution and, 234–235trend analysis with, 235–236unknown exploits captured with,

232–233, 233f, 234fupdating, 365value of, 231–238virtual, 261–262

Honeynet Projectdata collection by, 50, 336, 336f, 366, 394formation of, 38, 230mission statement of, 230

Honeynet Research Alliance, 230–231, 392–393

Honeynet sensor, 256–259Honeyp.com, overview of, 341–342Honeyp.edu, overview of, 360

Honeypots. See also Production Honeypots; Research Honeypots

advantages of, 49–53as appliances, 390–391auto-rooter capture with, selection for,

361behavior of, modifying, 306blending into organization, 306–307compromise statistics for, 12–13concept of, 3–4, 41consent banners for, 376–379, 378fcontraband storage on, 382–383cost of, 52, 282, 285customized, 42–44, 43f, 350for data capture, in honeynets, 253data value in, 49–51, 50fdefinition of, 40, 387–388detection of, by attackers, 54, 349–350disadvantages of, 53–55for DMZ monitoring, 42, 43ffailures of, 8field of view of, 53–54fingerprinting of, 54–55, 305–307first documented, 35flexible use of, 41goals for, 277–280, 343–346, 361–362government use of, 394in honeynets, 253HTTP links to, 348–349integration of, with other technologies,

391–392legality of (See Legal issues)level of interaction of

for detection, 343–344selection of, 280–282, 361

location of, 286, 287f, 346–347, 347fmaintenance of, 352–356, 389–390management of

ease of, improving, 389–390


440

IN D E X

Honeypots. continuednetwork for, 296–298, 297f, 350–352,

351fand number, 286

misconceptions about, 9, 44, 388misconfiguration of, 284–285, 389–390mistakes in, 54number of, determining, 285–286,

346–347, 347foperating systems for, selection of, 280,

283–285, 361organizational limits on, 368–369port forwarding to, NAT for, 301–302,

303fprepackaged, increase in, 390–391prioritizing, for alerts, 313vs. production systems, 40realism in, 307resource exhaustion and, 51–52return on investment in, 52–53risk posed by, 55, 302–305in security policy, 70selecting, 280–285, 361–362simplicity of, 52with sniffers, 292, 292fspecialization of, 392–393timeline of, 33–34tool download with, 331unknown exploits captured by, 39updating, 338–339, 355–356value of, 359worm capture with, selection for, 281,

361HTTP (Hyper-Text Transfer Protocol)

automated attacks against, and port monitors, 171–172, 172f

in BackOfficer Friendly, 94, 97in Specter, configuration of, 124vulnerabilities in, 365

HTTP document, in Specter, 136HTTP server head, in Specter, 136Huger, Alfred, 5

IiButton, 198–199, 207, 223ICMP packets

for fingerprinting, 118, 333–335, 335fin Honeyd, 144, 163, 164f

IIS (Microsoft Internet Information Server)CodeRed and, 19–21

IMAP (Internet Message Access Protocol), in BackOfficer Friendly, 98

IMAP4 (Internet Message Access Protocol), in Specter, 125

Implementation, for data capture, 291–295

Incident responsealerts in, 310BackOfficer Friendly for, value in, 91data control in, 319developing, honeynets for, 236–238in DMZ, 66evidence collection in, 64–65in GenII honeynets, 259in Honeyd, 154–157Honeypots for, 278

alerts from, and production services, 353

attacks on, 356–357deployment of, 346–347, 347feffectiveness of, optimizing, 348–349location of, 287f, 289purpose of, 344–345response procedure for, 317, 355selecting, 279

and information sharing, 237with jails, 185level of interaction and, 345


441

IN D E X

ManTrap for, 198, 345–346preparation for, 67–68procedures for

active value of, 316–317development of, 355documenting, 318–319for honeynets, 364options for, 315–316passive, 317

in production Honeypots, 66purpose of, 64remote access in, 319roles in, 318

Incidents.org, 179, 366, 394Information gathering. See also Data

entrieswith BackOfficer Friendly, 100–101with high-interaction Honeypots, 82with Honeyd, 163–165with honeynets, 268with jails, 189–190by level of interaction, 77, 77twith low-interaction Honeypots, 79in ManTrap, 214–215with medium-interaction Honeypots, 81with Specter, 112–113, 124–126, 129,

134–138Installation

of BackOfficer Friendly, 95, 96f, 104of high-interaction Honeypots, 82of Honeyd, 157of jails, 187–188by level of interaction, 77, 77fof low-interaction Honeypots, 78of ManTrap, 205–211of medium-interaction Honeypots, 81of Specter, 119

Intelligence Gathering, in Specter, 135–137

Internal networkconnection from, 358–359monitoring of, 42–44, 43f

Internet Chat Relay. See IRCInternet Message Access Protocol. See

IMAPIntrusion Detection System (IDS)

adoption of technology, 388alerts from, 222–223data aggregation with, 61data capture by, 250–253, 252fdeployment and, 362for detection, 59evasion of, 61false negatives in, 60–61false positives in, 59–60and firewalls, combining, 256for honeynets, and deployment, 362integration of, with Honeypots, 392interface of, 250–251method used by, 60remote logging with, 253resource exhaustion and, 51role of, 251as sniffers, 222–223Specter as, 112in trend analysis, 235updating, 365use of, 41

Intrusion Detection Systems gateway. See also Hogwash IDS gateway

advantages of, 257–259alerts from, 266–267, 267fin GenII honeynets, 257maintaining, 264signature database of, 257

IP addressesaliased, 51binding (See ARP proxy)


442

IN D E X

IP addresses continuedemulation of, in Honeyd


logging, with Snort, 328and MAC identifiers, association of,

150, 150fmonitoring, with Honeyd

operation of, 145–146overview of, 142value of, 144

in network layer, 149vs. resolved names, in data capture, 295source, analysis of, 320–324, 321f, 323f,

324ftranslation of, NAT for, 298

IP protocols, 411–413IP stack, emulation of

in Honeyd, 143, 156–157, 156f, 159and Specter, 118–119, 138

IPTables firewall, for GenI honeynets, 246IRC (Internet Chat Relay)

capture of, 377, 379definition of, 1in DoS attacks, 27as exploit resource, 15in hacking community, 1–2

JJail(s). See also Homemade Honeypots;

ManTrap cagesvs. chroot, 184concept of, 169configuration of, 187–188customizable, 183deception with, 184–185definition of, 36

deployment of, 188description of, 182for detection, 185detection of, by attackers, 190disadvantages of, 186flexibility of, 184–186information gathering with, 189–190installation of, 187–188level of interaction in, 184logging in, 189maintenance of, 188in medium-interaction Honeypot, 80monitoring, 189–190, 189foperating systems for, 184operation of, 186–187original use of, 182–183vs. port monitors, 169as research Honeypots, 185–186for response, 185risk with, 55, 190–191value of, 184–186

Jail breaking, risk of, 190–191, 226–227

KKernel

for data capture, 260definition of, 201in ManTrap, 201–202, 214–215rootkits for, 271

Kernel modification, use of, 30Keystroke capture

for data analysis, 329, 358for data collection, 268–269with GenII honeynets, 260with Intrusion Detection Systems, 251in ManTrap, reviewing, 219–220, 220fremote forwarding of, 254, 254fin security policy, 368–369

Keystroke reply, in ManTrap, 224–225, 224f


443

IN D E X

Know Your Enemy (Honeynet Project), 38, 230

LLaBrea Tarpit, for internal network

monitoring, 43Leaves worm, capture and analysis of,

38–39, 178–181Legal issues, with Honeypots

consent and, 376–379data collection and, 375–376entrapment and, 380–381liability and, 381–383organizational, 368–369precedent in, 369–371privacy and, 371–374Service Provider Protection exception

and, 379–380variables in, 367–368

Level of interactiondefinition of, 73guidelines for, 281–282in Honeyd, modification of, 143–144in honeynets, 229, 274, 345in Honeypots

for detection, 343–344selection of, 280–282, 361

in jails, 184in ManTrap, 193risk in, 281, 303–304tradeoffs between, 74, 76–77, 77t

Liability, legal issues of, 381–383Link layer, purpose of, 148f, 149localhost, for Honeypot attack, 105Log(s)

aggregation of, 295–298in BackOfficer Friendly, 101–102,

399–405by firewalls, 250, 251f

integrity of, and iButton, 223by Intrusion Detection Systems,

250–251of IP addresses, 328by jails, 189by low-interaction Honeypots, in

trend analysis, 324–325by ManTrap cages

configuration of, 209–210, 209flocation of, 214–215

by ManTrap, reviewing, 217–218, 219fnetwork for, 296–298, 297f, 350–352,

351fprotection of, with iButton, 199remote (See Remote logging)by Snort, for data analysis, 327–329,

328f, 329f, 332, 333fby Specter, 132–138storage of, 298

Log Analyzer, for information gathering, in Specter, 132, 132f

Log serveralerts from, 352attacks against, 253for data capture

analysis of, 356–357for honeynets, 253, 266, 266f, 273, 363for Honeypots, 352–356maximizing, 293

encryption and, 273Loopback, use of, 202–204Low-interaction Honeypot

advantages and disadvantages of, 79capabilities of, 74–75, 78–79data analysis with, 320–324, 321f, 323f,

324fdefinition of, 74due diligence for, 382example of, 74–75, 74f, 78–79


444

IN D E X

Low-interaction Honeypot continuedvs. high-interaction Honeypots, 344, 345improvement of, future, 393logs of, for trend analysis, 324–325

Luckgo, 17Luckroot, 17–19, 18fLuckscan, 17Luckstatdx, 17

MMAC (modify, access, change), 65, 269MAC (Media Access Control) identifiers

composition of, 149–150in Ethernet, 149–151and IP addresses, association of, 150,

150fin ManTrap, 206unknown, finding, 151f, 152–153

Maintenancealerts in, 310data analysis in, 320ease of, improving, 389–390of high-interaction Honeypots, 82of Honeyd, 162–163of honeynets, 263–265, 364–365of Honeypots, 352–356of jails, 188by level of interaction, 77, 77fof low-interaction Honeypots, 78of ManTrap, 213–214of medium-interaction Honeypots, 81of Specter, 127–128

Managementof BackOfficer Friendly, 98–99ease of, improving, 389–390of honeynets, networks for, 362of Honeypots, network for, 296–298,

297f, 350–352, 351fand number of Honeypots, 286

ManTrap. See also iButtonactivity capture with

at application level, 220–221reviewing, 217–218, 219fvalue of, 198

advantages and disadvantages of, 227talerts in, 215–218, 216fcages in (See ManTrap cages)CGM in, 207–208complexity of, risk with, 226configuration of, 205–211, 208fdata integrity in, 223deployment of, 211–214description of, 85detection with, value in, 196–197file recovery in, 221–222file system in, 202–204, 203ffirewalls for, 225–226hardware requirements of, 206host system in (See ManTrap host

system)information gathering in, 214–215installation of, 205–211jail breaking in, 226–227kernel in, 201–202, 214–215keystroke capture in, reviewing,

219–220, 220fkeystroke reply in, 224–225, 224flevel of interaction of, 193limitations of, 194–195, 199–200logging in, reviewing, 217–218, 219fMAC identifiers in, 206operating system requirements of,

194–195, 199, 205–206operation of, 200, 200foverview of, 193–195prevention with, value of, 195–196process log in, alerts from, 217–218as research Honeypot, 198–199, 278


445

IN D E X

for response, 345–346response with, 198, 278, 279risk with, 225–227security testing with, 199services in, value of, 197sniffers and, 222–223

alerts from, 217value of, 196–197

vulnerabilities in, 195–196ManTrap cages. See also Jail(s)

alerting in, 209–210, 209fcompromising, 193, 195–196configuration of, 207, 208f, 209–210,

209fcustomization of, 207–208, 210–211deployment of, 211–212, 212ffile capture from, 221–222file system in, 202–204, 203f, 204fflexibility of, 194host file system in, 202–204, 203fidentification of, by attackers, 205, 226kernel sharing by, 201–202limitations in, 205logging in, 209–210, 209f, 214–215operation of, 200, 200f, 204–205, 205foverview of, 194

ManTrap host systembuilding, 206–207configuration of, 207, 208fcustomization of, 207deployment of, 212–213, 213ffile system in, 202–204, 203fkernel sharing by, 201–202operation of, 200, 200f

Mass-rooters, 19, 20f, 232–233, 233f, 234fMD5 checksum, as data analysis

preparation, 337Media Access Control identifiers. See

MAC identifiers

Medium-interaction Honeypot, 80–81, 393MEECES (Money, Ego, Entertainment,

Cause, Entrance), 27Memory, worms residing in, 38, 173MICE (Money, Ideology, Compromise,

Ego), 27Microsoft Internet Information Server

(IIS), CodeRed and, 19–21modify, access, change (MAC), 65, 269Motives, for attacks, 27–29, 69

NNAT (Network Address Translation),

298–301, 300f, 301f, 349National Infrastructure Protection

Center (NIPC), 39, 181NETBUS, in Specter, configuration of, 124netcat utility

and expected behaviors, 176–177, 179for port listening, in attacks, 331for port monitoring, 174–177, 175f,

176f, 177ffor remote connections, 179–180

NetFacade, 37NetForensics, for data storage, 298NetSec, 84netstat command, listening ports

identified withand BackOfficer Friendly, 94–95, 94f,

105, 105fand Specter, 115

Network(s). See also DMZ; Internal network

analysis of, Ethereal for, 331–332attack on, 359, 360fdiagrams of, notation for, xxiiunder ECPA, 374emulation of, 37for honeynet management, 362


446

IN D E X

Network(s). continuedfor Honeypot management, 296–298,

297f, 350–352, 351ffor logging, 296–298, 297f, 350–352, 351fnotation for, 141–142privacy on, 371virtual, in Honeyd, 162

Network Address Translation (NAT), 298–301, 300f, 301f, 349

Network captureand encryption, 272for file recovery, 271–272in honeynets, 267, 268f, 269–272, 270fin ManTrap, 214

Network Flight Recorder, 83Network Intrusion Detection System. See

Intrusion Detection SystemNetwork layer, purpose of, 148f, 149Network sweeps, covert, 50–51, 50fNetwork traffic

forwardingfuture solutions for, 392to Honeyd, 146–147, 147f (See also

ARP spoofing)with NAT, 301–302, 303f

monitoring, and encryption, 29–30Network Voice Protocol, as backdoor,

232–233, 233f, 234fNimda worm, 22–24NIPC (National Infrastructure

Protection Center), 39, 181Nmap, for fingerprinting, 118, 143, 155,

157, 158f

OOpen character, in Specter behavior

settings, 121, 122fOpen option, for service emulation, in

Honeyd configuration, 160

Open sockets. See Port listenersOpenSource, definition of, 142Operating systems

configuration of, and familiarity, 284emulation of

in Honeyd, 143, 155, 156–157, 156fin medium-interaction Honeypot, 80in Specter, 111–112, 115–118, 116f,

117f, 120–121, 138fingerprinting of

for data analysis, 332–335, 334f, 335fand Honeyd, 155–156

for Honeypots, 344, 345selection of, 280, 283–285, 361

and ManTrap, 193–195, 199, 205–206risk to, 137–138, 181–182securing, for risk mitigation, 304, 357updating, 338, 365

Outbound traffic. See also Data controlalerts for, 248–249, 249f

prioritizing, 312–313, 313fallowing, 8controlling with routers, 248firewall for, 6in GenI honeynets, 244–248honeynet sensor and, 258–259in honeynets, 363–364limiting, 245–246, 363–364necessity of, 245risk of, 225–226, 255

PPacketing, as motive for attack, 27Palisade Systems, 391Passive OS fingerprinting

for data analysis, 332–335, 334f, 335fand Honeyd, 155–156in Honeypot appliances, 390

Password(s), failure of, 59


447

IN D E X

Password files, downloading, 110, 114, 117–118

configuration for, 125–126Pen Register/Trap and Trace Statute (Pen/

Trap), privacy under, 372, 374–380Platform. See Operating systemsPolitical motives, for attacking, 28POP3

in BackOfficer Friendly, 94, 98in Specter, configuration of, 124

Port forwarding, NAT for, 301–302Port listeners

in BackOfficer Friendly, 93–94netcat for, in attacks, 331in Specter, 113for worm capture, selection for, 281–282

Port misconfiguration, 357Port monitors. See also Homemade

Honeypots; netcat utilitycapture with, 172–173, 181definition of, 168detection with, 170–172, 172femulation capabilities in, 177–181vs. jails, 169overview of, 169–170as research Honeypots, 170, 181risk associated with, 181–182service emulation in, 180–181value of, 170–173

Portscan, in Specter, for information gathering, 136

Prevention. See also Deception; Deterrence

with BackOfficer Friendly, 91definition of, 56Honeypots for, 278, 287–288, 287fwith ManTrap, value of, 195–196production Honeypots in, 56–58

Privacy, in Honeypot legal issues, 371–374

Private addressing (RFC 1918), definition of, 298–299

Process log, alerts from, 217–218, 219fProduction Honeypots. See also

Detection; Incident response; Prevention

detection problems addressed by, 61–62for DMZ monitoring, 62–63, 63ffor evidence collection, 66field of view of, 64Honeyd as, 142honeynets as, 231incident response in, 66, 67fjails as, 184location of, 286number of, determining, 285in prevention, 56–58purpose of, 44–45, 55vs. research Honeypots, 46role of, defining, 278–279specialization of, 392–393use of, 69value of, 278

Production networksGenII honeynets in, 257, 258fHoneyd deployment on, 163

Production systemsin honeynets, 229and Honeypots, 40, 348retiring, as Honeypots, 42, 43fspoofed attacks from, 54

Propagation, and multiple vulnerability scans, 22–24

Provos, Niels, 84, 142Proxying, in Honeyd, 159f, 161–162

Rrain forest puppy, Windows Web Server

emulation script by, 161


448

IN D E X

Random character, in Specter behavior settings, 123

Ranum, Marcus, 38, 83Recourse, 85Red Hat Linux, 6, 7f, 12Remote alerts, in Specter, 113Remote connections, 179–180, 319, 331Remote logging, 253, 266Remote management

and BackOfficer Friendly, 98–99of ManTrap, 213–214, 213fof Specter, 127, 128f

Research Honeypotsadvanced blackhats studied with, 395–396alerts in, 310BackOfficer Friendly as, 91–92commercial use of, 394in distributed environments, 396–397for early warning and detection, 69, 394fingerprinting of, 54honey cards used in, 395–396Honeyd as, 142honeynets as, 231–232, 362Honeypots for, 278jails as, 185–186location of, 286, 287f, 290–291ManTrap as, 198–199number of, determining, 285port monitors as, 170, 181vs. production Honeypots, 46purpose of, 44–46, 68response procedure for, 317, 327role of, defining, 279specialization of, 392–393Specter as, 112–113, 134trend analysis with, 235unknown exploits identified with, 396uses of, 69–70value of, 278

Reset option, for service emulation, 160Resolved names, vs. IP addresses, in data

capture, 295Resource exhaustion, Honeypots and,

51–52Response. See Incident responseReturn on investment, in Honeypots,

52–53Risk

from auto-rooters, 29and BackOfficer Friendly, 102with high-interaction Honeypots, 82and Honeyd, 165with honeynets, 274–275with Honeypots, 55with Honeypots, mitigating, 302–305,

349–350identification of, with BackOfficer

Friendly, 92–93with jails, 55, 190–191and level of interaction, 77, 77f, 281with low-interaction Honeypots, 78with ManTrap, 225–227with medium-interaction Honeypots,

81and Specter, 137–138updating and, 338

Roesch, Marty, 37Rootkits, 2, 271Routers, 248, 294rpc.statd exploit, 2, 17RST packets, closing connection with, 98,

99fRussell, Ryan, 174

SSalgado, Richard, 370–371Scanning, 13, 21–22Screen shots, remote forwarding of, 254


449

IN D E X

Script(s)for attacks, 366in Honeyd, 160–161, 161ffor ManTrap cage customization, 210

Script kiddies, 11–12, 14Script option, for service emulation, 160Secure character, in Specter behavior

settings, 121Secure Shell (SSH), 125, 365Security policy, 70, 316, 368–369Security testing, with ManTrap, 199SecurityFocus.com, 174, 366, 394Sendmail Honeypot, 169September 11, 2001, hacking after, 28Service Provider Protection exception,

379–380Services

emulation ofin BackOfficer Friendly, 98, 102in Honeyd (See Honeyd, service

emulation in)with port monitors, 180–181in Specter, 110–111, 123–124, 125f

in ManTrap, value of, 197vulnerable, 14, 182–183

SESSION files, for keystroke capture, 329–330, 330f

Short Mail, 129, 130, 130fSignatures

in Honeypot detection, 349–350in Intrusion Detection Systems

gateway, 257, 264in jail identification, 190

Silk Rope, for Back Orifice, 89Simple Mail Transfer Protocol. See SMTPSmoke Detector Honeypot appliance, 391SMTP (Simple Mail Transfer Protocol)

in BackOfficer Friendly, 94, 97in Specter, configuration of, 123

SMTP banner, in Specter, for information gathering, 136

Sniffers. See also Snortand Honeyd, 164with Honeypots, 292, 292fIntrusion Detection Systems as,

222–223for jails, 189, 189fManTrap and, 196–197, 217, 222–223syslog information capture with, 293

Snort. See also Hogwash IDS gatewayconfiguration file for, 329, 407–409for data capture, 266, 267, 267fdevelopment of, 37as honeynet Intrusion Detection

System, 252–253with Honeypots, 292, 292ffor jails, 189, 189fkeystroke capture with, 329–330, 330flog capture of, for data analysis,

327–329, 328f, 329f, 332, 333fpacket payload from, 329timestamping in, 330

Song, Dug, on blackholing, 144–145Specter

advantages and disadvantages of, 138talerts in, 113, 126–127, 129–131, 130f,

131fvs. BackOfficer Friendly, 110behavior setting in, 114–115character in, configuration of,

121–123, 122f, 123fconfiguration of, 119, 120f

for alerts, 126–127character in, 121–123, 122f, 123finformation gathering in, 124–126operating system emulation in,

120–121password files in, 125–126


450

IN D E X

Specter continuedservice emulation in, 123–124, 125ftraps in, 124–125

customizing, 112, 350deception with, 112, 114description of, 84deterrence with, 112, 114–115effectiveness of, optimizing, 348–349fingerprinting of, 112, 118–119flexibility of, 112information gathering with, 112–113,

129, 133–137configuration of, 124–126risk in using, 136–138

initialization of, 127installation of, 119IP stack emulation and, 118–119, 138level of interaction of, 110operating system emulation in,

111–112, 115–118, 116f, 117fconfiguration of, 120–121risk in, 138

operation of, 115–119overview of, 109–112password files in, 110, 117–118,

125–126port listeners in, 113, 115–118prevention with, 278remote management of, 127, 128fas research Honeypot, 112–113, 132risk from using, 137–138service emulation in, 110–111, 111f,

123–124, 125fsystem requirements for, 109traps in, 111, 124–125updating, 339value of, 112–115vulnerability emulation in, 110, 111f,

114

Spoofing. See specific typesSSH (Secure Shell), 125, 365State law, consent under, 377Stoll, Clifford, hacker tracking by, 34–35strace(1), for jail monitoring, 190Strange character, in Specter behavior

settings, 114, 122Sub7 Trojan

and Leaves worms, 38–39, 178–181overview of, 178, 179fin Specter configuration, 125

SUN-RPC, in Specter configuration, 125Swatch, for syslog monitoring, 164–165,

352Syslog/syslogd

disabling, 253in Honeyd, 163–165, 164fmaximizing, 293and sniffers, 293in Specter, 135, 135f

System, 6, 14System, compromised. See Compromised

systemsSystem logs

data aggregation with, 61maintaining, 264reviewing, 267, 267f, 356–357, 358

System processes, in ManTrap cages, 204–205, 205f

TTargets of choice

deception and deterrence and, 57GenI technologies and, 243hacking, 25–27honeynets as, 262–263

Targets of opportunity. See also Auto-rooters; Worm(s)

deception and deterrence and, 57


451

IN D E X

GenI technologies and, 243hacking, steps in, 14–15

TASK, for forensic analysis, 332TCP/IP protocol suite, layers of, 148–152,

148fTelnet, 97, 123Telnet banner, in Specter, 136Templates, in Honeyd configuration, 158,

159fTest beds, honeynets as, 238, 364Testing, for risk mitigation, 305Time zones, in data capture, 241Timestamp, in Snort logs, 330Tiny Honeypot, 169"To Build a Honeypot," 230Tracer, for information gathering, 136Traceroute, for information gathering, 136Transactional data, under Wiretap Act

and Pen/Trap statute, 375Transport layer, purpose of, 148f, 149Traps, 111, 124–125Trend analysis

alerts archive in, 314–315data analysis in, 335with honeynets, 235–236with low-interaction Honeypot logs,

324–325Tripwire, for MD5 checksum, 337truss(1), for jail monitoring, 190TTY Watcher, for remote data capture, in

honeynets, 253–254

UUDP services, in Honeyd, 143–144Ullrich, Johannes B., 180–181Updates, 338–339, 355–356, 365Uptime, spoofing, in Honeyd, 162U.S. Constitution, privacy under, 372–374U.S. Patriot Act, privacy and, 380

User Mode Linux (UML), for virtual honeynets, 262

"Using Chroot Security" (Chuvakin), on jail breaking, 190–191

VVirtual honeynets, 261–262Virtual operating systems

in Honeyd, 143, 155, 156–157, 156fin medium-interaction Honeypot, 80in Specter, 111–112, 115–118, 116f,

117f, 120–121, 138VMWare, for virtual honeynets, 262Vulnerabilities

attack on, analysis of, 365–366emulation of, in Specter, 110, 111f, 114identification of, 14jails for, 182–183in ManTrap, 195–196, 216patches for, 25scanning for multiple, 22updates for, 338–339

WWhois, in Specter, for information

gathering, 136Wiretap Act (Title III), privacy under,

372, 374–380Worm(s)

capture of, 38, 69Honeypot selection for, 281, 361with netcat, 174–177, 175f, 176f, 177fwith port monitors, 172–173

capture statistics for, 13for CPU cycle takeover, 28definition of, 19devastation of, 19–21growth in, 38mutation of, 29


452

IN D E X

wwwhack, 16fmethod of, 15

XX, for fingerprinting, 118, 155

ZZero0, 271


I NDEX...

Documents

Transcript of I NDEX...