i ndex...
TRANSCRIPT
429
I
N D E X
Note: Page numbers followed by
f
and
t
indicate figures and tables, respectively.
A
ACID, for data storage, 298, 336, 336
f
Active countermeasures, risk in using, 136–138
Activity capture.
See
Data capture
adb(1)
, for jail monitoring, 190Address Resolution Protocol (ARP), for
MAC identifiers, 151–152, 152
f
ADMmutate, 61, 274–275A
ggressive
character, in Specter behavior settings, 114, 121–122, 123
f
Alert(s)by Alert Mail, 130–131, 131
f
archiving, 314–315in BackOfficer Friendly, 100–101, 100
f,
101
f
reviewing, 107, 107
f
saving, 101–102, 107, 108
f,
399–405
vs.
Specter, 113value of, 92–93
critical content of, 311, 312
f
in data control, 248–249, 249
f
in detection, 310, 352–353, 353
f
from firewalls, 354, 354
f
in honeynets, 248–249, 249
f
logging, 350–352in GenI honeynets
from firewalls, 248–249, 249
f
from Intrusion Detection Systems, 251–252
in high-interaction Honeypots, 326–327
in Honeyd, 164–165in honeynets, 248–249, 249
f,
364, 423–427 (
See also
GenI honeynets)in Honeypots goals, 343from IDS gateway, 266–267, 267
f
from Intrusion Detection Systems, 222–223, 251–252
from log server, 352, 363logging, 350–352in maintenance, 310in ManTrap, 215–218, 216
f
Spitzner.book Page 429 Sunday, August 18, 2002 9:44 PM
430
I
N D E X
Alert(s)
continued
in ManTrap cages, 209–210, 209
f
misconfiguration and, 284–285for outbound traffic, 248–249, 249
f
prioritizing, 312–314, 313
f,
315
f
redundancy in, 310–311reliability of, 310–311in research Honeypots, 310in response Honeypots, 310, 353reviewing, 107, 107
f
saving, 101–102, 107, 108
f,
399–405by Short Mail, 129, 130
f
simplicity of, 310in Specter
by Alert Mail, 130–131, 131
f
configuration of, 126–127by Short Mail, 129, 130
f
value of, 113Alert Mail, in Specter, 130, 131
f
Al-Qaeda, hacking threats and, 28Ann Arbor Networks, blackhole
monitoring by, 144Application(s), in ManTrap, 196,
199–200Application layer
data capture at, in ManTrap, 220–221emulation of, in Honeyd, 156–157, 156
f
purpose of, 148
f,
149Application logs
data aggregation with, 61for information gathering, in Specter,
133in jails, 189
Arkin, Ofir, 334ARP (Address Resolution Protocol), for
MAC identifiers, 151–152, 152
f
ARP proxy, in Honeyd, 153–154, 154
f,
159ARP spoofing
definition of, 148
in Honeyd, 152–153risk in, 165
ARP table, 150–152, 150
f
Arpd utility, 148, 152, 162Attack(s)
on BackOfficer Friendly, 105–106, 106
f
on detection Honeypots, 357–358on GenI honeynets, example of,
265–274, 273
f
on honeynets, analysis of, 365–366information sharing after, 236–237against log servers, 253modifying, 259motives for, 27–29, 69
netcat
utility in, 331on networks, 359, 360
f
on response Honeypots, 356–357scripts for, 366steps in, 14, 15throttling, 259
Attackers.
See
Hacker(s)identifying, with file recovery, 221–222IRC used by, 1–2learning about, 8luring
vs.
capturing, 44motives of, 27–29, 69privacy protection for, 373, 376skill levels of, 11–12, 14, 75–76, 269threats from, 12–13tracking, 34–35, 64–65traditional defense against, 4types of, 11–12
Authentication, 56, 152Automated tools.
See
Auto-rootersAuto-rooters.
See also
Luckrootcapture of, 69, 361detection of, port monitors for, 170–171evolution of, studying, 234–235FTP attack with, 365
Spitzner.book Page 430 Sunday, August 18, 2002 9:44 PM
431
I
N D E X
interchangeability in, 18–19
vs.
mass-rooters, 19method of, 15–16randomness of, 16–17risk posed by, 29
B
Back Orifice, 88–90, 89
f
Backdoors, rootkits for creating, 2BackOfficer Friendly (BOF)
advantages and disadvantages of, 103
t
alerts in, 100–101, 100
f,
101
f
reviewing, 107, 107
f
saving, 101–102, 107, 108
f,
399–405
vs.
Specter, 113attack on, 105–106, 106
f
configuration of, 95–98, 96
f,
97
f,
104, 104
f
description of, 83example using, 74–75, 74
f
fingerprinting of, 102information gathering in, 100–101installation of, 95, 96
f,
104logging in, 101–102, 399–405management of, 98–99operation of, 93–95original use of, 90–91overview of, 87–91release of, 38and remote management, 98–99for response, 279risk associated with, 102service emulation in, 98
vs.
Specter, 92–93, 110tutorial for, 103–108value of, 91–93
Banners, consent, 376–379, 378
f
bash, modified version of, for remote data capture, 254, 272–273, 273
f
BIND8 service, jails for, 187–188Blackhat(s), advanced
definition of, 12meritocratic nature of, 28studying, with research Honeypots,
395–396targets of, 25–27tools of, 25–26, 68trail of, 25–26
Blackhat(s), low-level, 11–12, 14Blackholing
definition of, 144–145deployment of, 163in Honeyd, 144–147intent of, 145risk in, 165
Block option, in Honeyd configuration, 160
BOF.
See
BackOfficer FriendlyBO2K Trojan, in Specter configuration,
125BOTs, 1–2, 27Bragging rights, as motive for attack, 28BUTTplugs, for Back Orifice, 88–90
C
CAIDA (Cooperative Association for Internet Data Analysis), blackhole monitoring analysis by, 145
CDE Subprocess Control Service (dtspcd), exploit for, 39
CERT, statistics released by, 13CGM (Content Generation Module), in
ManTrap, 207–208Character, in Specter, configuration of,
121–123, 122
f,
123
f
chroot.
See
Jail(s)chroot command, for ManTrap cage
customization, 210, 211
f
Spitzner.book Page 431 Sunday, August 18, 2002 9:44 PM
432
I
N D E X
Chuvakin, Anton, on jail breaking, 190–191CodeRed II worm
capture and analysis of, 39, 173–174release of, 21–22, 23
f
CodeRed worm, 19–21, 21
f
Commercial Honeypots
vs.
homemade Honeypots, 344, 345selection of, 280, 282–283, 361
increase in, 390–391Compromised systems
and Back Orifice, 90as currency, 28data control in, 350evidence gathered from, 65–66forensic analysis of, 332liability issues with, 381–383monitoring, real-time, 364patching, 66
Configurationand alerts, 284–285of BackOfficer Friendly, 95–98, 96
f,
97
f,
104, 104
f
of high-interaction Honeypots, 82of Honeyd, 158–162, 159
f
of jails, 187–188by level of interaction, 77, 77
f
of low-interaction Honeypots, 78of ManTrap, 205–211of medium-interaction Honeypots, 81of Specter, 119, 120
f
testing, scripts for, 161, 161
f
Consent banners, 376–379, 378
f
Consent, federal law exceptions for, 376–379
Constitution, U.S., privacy under, 372–374
Content Generation Module (CGM), in ManTrap, 207–208
Contraband, Honeypot storage of, 382–383
Cooperative Association for Internet Data Analysis (CAIDA), blackhole monitoring analysis by, 145
Corporate espionage, as motive for attack, 28
Countermeasures, active, risk in using, 137–138
CPU cycles, as motive for attack, 28Credit cards, as motive for attack, 28
The Cuckoo's Egg
(Stoll), 34–35Cult of the Dead Cow, Back Orifice
released by, 88CyberCop Sting, 5, 36–37
D
Datastorage of, 241, 250, 298, 336, 336
f
transactional, under Wiretap Act and Pen/Trap statute, 375
value of, in Honeypots, 49–51Data aggregation.
See also
Data capturefor data analysis, 335–336database for, 335definition of, 59management of, 295–298problem of, 61production Honeypots and, 62, 63value in, 296
Data analysisdata aggregation for, 335–336for detection Honeypots, 358with high-interaction Honeypots,
325in Honeypot maintenance, 320keystroke capture for, 329with low-interaction Honeypots,
320–325, 321
f,
323
f,
324
f
passive, 332–335, 334
f,
335
f
preparation for, in deployment, 337
Spitzner.book Page 432 Sunday, August 18, 2002 9:44 PM
433
I
N D E X
Data capture.
See also
Keystroke capture; Log(s)
archiving, 241definition of, 416and deployment, 263–264, 362and encryption, 198, 202, 255–256, 260firewalls for, 250, 251
f,
363in GenI honeynets, 255–256in GenII honeynets, 260in honeynets
definition of, 239and deployment, 263–264, 362and encryption, 255–256, 260firewalls for, 250, 251
f,
363Intrusion Detection Systems for,
250–253, 252
f
log server for, 253, 266, 266
f,
273purpose of, 240–241remote, 253–254, 272–273, 273
f
requirements for, 241Snort for, 266storage of, 241, 250
in Honeypots, 291–295, 352–356Intrusion Detection Systems for,
250–253, 252
f
IP addresses
vs.
resolved names in, 295kernel in, 201–202, 260log server for
in honeynets, 253, 266, 266
f,
273for Honeypots, 352–356
in ManTrapat application layer, 220–221and encryption, 198, 202kernel in, 201–202reviewing, 217–218, 219
f
value of, 198maximizing, 291–293redundancy in, 293–295remote, 253–254, 272–273, 273
f
requirements for, 241, 417–418reviewing, 217–218, 219
fSnort for, 266standards for, 419storage of, 241, 250, 298
ECPA and, 374Data collection
definition of, 416with GenII honeynets, 260–261with honeynets
definition of, 239and deployment, 264elements of, 242purpose of, 241–242
integrity in, 261legal issues with, 375–376requirements for, 418standardized format for, 261standards for, 419–421
Data controlalerts for, 248–249, 249fautomating, 240bypassing, 274–275for compromised systems, 350definition of, 416and deployment, 263–264, 362and due diligence, 382firewalls for, 363in GenI honeynets, 243–249, 250f, 255in GenII honeynets, 256–260in honeynets (See also Outbound
traffic)alerts for, 248–249, 249fautomating, 240bypassing, 274–275definition of, 239and deployment, 263–264, 362firewalls for, 363layers of, 248
Spitzner.book Page 433 Sunday, August 18, 2002 9:44 PM
434
IN D E X
Data control continuedpurpose of, 239–240requirements for, 240
Honeypot location and, 290–291requirements for, 240, 416–417in response procedures, 319for risk mitigation, 304–305and updating, 365
Databasefor data aggregation, 335for log storage, 298
Deceptionwith BackOfficer Friendly, 91detection of Honeypots in, by
attackers, 305–306example of, 57–58with honeynets, value of, 231Honeypots for, 278jails for, 184–185with ManTrap, value in, 195–196for prevention, 56–57with Specter, 112, 114
Deception Toolkit (DTK), 5, 36Demarc, for data storage, 298Demilitarized Zone. See DMZDenial of Service (DoS), as motive for
attack, 27Deployment
data analysis preparation in, 337effectiveness and, 348of high-interaction Honeypots, 82of Honeyd, 162–163of honeynets, 263–265
for research, 362–364, 363fof jails, 188by level of interaction, 77, 77flocations for, 286of low-interaction Honeypots, 78of ManTrap, 211–214
of medium-interaction Honeypots, 81of Specter, 127
Detection. See also Alert(s)alerts in, 310, 352–353, 353fin BackOfficer Friendly, 91–93, 92fin Honeyd, and service emulation, 143with honeynets, value of, 231of Honeypots, 305–306, 349–350Honeypots for, 278
alerts from, 352–353, 353fattack on, 357–358deployment of, 346, 347feffectiveness of, optimizing, 348–349goal of, 343location of, 287f, 288–289response procedure for, 317, 355,
357–358Intrusion Detection System (IDS) for, 59jails for, 185level of interaction and, 344with low-interaction Honeypots, 78with ManTrap, value in, 196–197with port monitors, 170–172, 172fproblems in (See Data aggregation;
False negatives; False positives)production Honeypots and, 61–63, 63fpurpose of, 58
Deterrencewith BackOfficer Friendly, 91detection of Honeypots in, by
attackers, 305–306Honeypots for, 278with ManTrap, value in, 195–196for prevention, 56–57with Specter, 112, 114–115
Dittrich, David, 370DMZ (Demilitarized Zone)
incident response in, 66, 67fmonitoring, 42, 43f, 62–63, 63f
Spitzner.book Page 434 Sunday, August 18, 2002 9:44 PM
435
IN D E X
DNS (Domain Name Service). See also BIND8 service
jails for, 182–183, 186–187in Specter, 125, 136
Domain names, for honeynets, 262–263DoS (Denial of Service), as motive for
attack, 27DTK (Deception Toolkit), 5, 36dtspcd (CDE Subprocess Control
Service), exploit for, 39
EEarly warning mechanisms
data analysis in, 335honeynets as, 235research Honeypots as, 69, 394
Electronic Communications Privacy Act (ECPA), 372, 374
Emulationof application layer, in Honeyd,
156–157, 156fof IP addresses, in Honeyd
ARP proxy for, 153–154, 154foperation of, 146overview of, 142value of, 144–145
of IP stackin Honeyd, 143, 156–157, 156f, 159and Specter, 118–119, 138
of networks, 37of operating systems
in Honeyd, 143, 155–157, 156fin medium-interaction Honeypot, 80in Specter, 111–112, 115–118, 116f,
117f, 120–121, 138of services
in BackOfficer Friendly, 98, 102in Honeyd, 156–157, 156f
configuration of, 159–160
customization of, 142and detection, 143operation of, 145–146for response, 154–155value of, 143–144
with port monitors, 180–181in Specter, 110–111, 111f, 123–124, 125f
of vulnerabilities, in Specter, 110, 111f, 114
EnCase, for forensic analysis, 332Encryption
activity capture and, in ManTrap, 198, 202
data capture andin GenII honeynets, 260and log servers, 273
and network captures, 272for prevention, 56use of, 29
Entrapment, legal issues with, 380–381Ethereal, for network analysis, 331–332,
333fEthernet, in link layer, 149–151"An Evening with Berferd in Which a
Cracker Is Lured, Endured, and Studied" (Cheswick), 34, 35–36, 184
Event Log, for information gathering, in Specter, 134, 134f
Evidence, from Honeypots, 64–66Exploits
automatic, 15–16capture of
port monitors in, 172–173unknown, 39, 69, 232–233, 233f,
234f, 235development of, 14downloading, via FTP, 331interchangeability of, in auto-rooters,
18–19
Spitzner.book Page 435 Sunday, August 18, 2002 9:44 PM
436
IN D E X
Exploits continuedlaunching, 14point-and-click, 15, 16funknown
capture of, 39, 69, 232–233, 233f, 234f, 235
identification of, 396
FFailing character, in Specter behavior
settings, 122False negatives
definition of, 59eliminating, 396problem of, 60–61production Honeypots and, 61–64reduction of, with IDS integration, 392
False positivesdefinition of, 59eliminating, 396in honeynets, 235problem of, 59–60production Honeypots and, 61, 62–63reduction of, 127, 392
Federal Aviation Administration (FAA), information sharing by, 236–237
Federal Wiretap Act (Title III), privacy under, 372, 374–380
File recoveryin Ethereal, 332in honeynets, 271–272in ManTrap, 221–222
File system, in ManTrap, 202–204, 203fFile Transfer Protocol. See FTPFINGER, in Specter
configuration of, 124for information gathering, 136
Fingerprintingof BackOfficer Friendly, 102
of Honeyd, 155–156of honeynets, 255of Honeypots, 54–55ICMP for, 118, 333–335, 335fmitigating, 305–307passive
for data analysis, 332–335, 334f, 335fin Honeypot appliances, 390
of Specter, 112, 118–119Firewall(s)
adoption of technology, 388–389alerts from, 354, 354f
in honeynets, 248–249, 249flogging, 350–352
for data capture, 250, 251f, 294–295, 294f, 363
for data control, 248–249, 249f, 265, 350, 363
failure of, 58for GenI honeynets, 244–245GUI for, 389, 390fin high-interaction Honeypots, 82for Honeyd, 163for honeynets, 244–245, 362, 363, 365and Honeypot location, 286integration of, with Honeypots, 392internal connections and, 359and Intrusion Detection Systems,
combining, 256maintaining, 264for ManTrap, 225–226misconfiguration of, 390for outbound traffic, 6for prevention, 56resource exhaustion and, 51return on investment in, 52rulebase for
for compromised systems, 350for honeynets, 246–247, 247f
Spitzner.book Page 436 Sunday, August 18, 2002 9:44 PM
437
IN D E X
misconfiguration of, 390reviewing, 359
use of, 40–41FireWall-1, 246, 389, 390fForensic analysis, of compromised
systems, 332Fourth Amendment, 372–374FTP (File Transfer Protocol)
auto-rooter attack against, 365in BackOfficer Friendly, 94, 97in Specter, configuration of, 110, 111f,
123for tools download, 331
FTP banner, in Specter, for information gathering, 136
Ggdb(1), for jail monitoring, 190GenI honeynets
alerts in, 248–249, 249f, 251–252architecture of, 243capabilities of, 243data capture in, 255–256data control in, 243–249, 250f, 255deployment of, 265, 266fexample attack on, 265–274, 273ffirewalls for, 244–245, 265, 266f
rulebase for, 246–247, 247fvs. GenII honeynets, 261, 362outbound traffic in, 244–248overview of, 242–243risk in, 255routers for, 248
GenII honeynetsdata capture in, 260data collection in, 260–261data control in, 256–260vs. GenI honeynets, 261, 362honeynet sensor in, 256–257
Intrusion Detection Systems gateways in, 257–259
network diagram of, 258foverview of, 256–261in production networks, 257, 258fresponse in, 259
GFORCE, hacking threats from, 28Granick, Jennifer, 370Graphical user interfaces (GUI), and ease
of use, 389–390, 390fGuest books, link from, 348–349
HHacked computers. See Compromised
systemsHacker(s). See Attackersh4x0r, 3, 76Hacking. See Attack(s)Hard drive, wiping, for deployment, 337Hardware requirements, for ManTrap,
206High-interaction Honeypots
alerts in, 326–327capabilities of, 75–76, 76f, 81–82data analysis with, 325definition of, 75due diligence for, 382example of, 325–326, 326fvs. low-interaction Honeypots, 344, 345privacy issues with, 371risk from, mitigating, 350
Hogwash IDS gateway, 259–260Home networks, scanning of, statistics
for, 13Homemade Honeypots. See also Jail; Port
monitorsadvantages of using, 167vs. commercial Honeypots, 344, 345
selection of, 280, 282–283, 361
Spitzner.book Page 437 Sunday, August 18, 2002 9:44 PM
438
IN D E X
Homemade Honeypots. continueddescription of, 84interfaces of, 282overview of, 168–169uses of, 168variety of, 168
Honey cards, use of, 395–396Honeyd
advantages and disadvantages of, 166falerts in, 164–165ARP proxy in, 153–154, 154f, 159ARP spoofing in, 152–153ARP table in, 152, 153blackholing in, 144–147configuration of, 158–162, 159fdeployment of, 162–163description of, 84fingerprinting of, 155–156firewalls for, 163information gathering with, 163–165initialization of, 157–158installation of, 157IP emulation in
ARP proxy for, 153–154, 154foperation of, 146overview of, 142value of, 144–145
IP monitoring inoperation of, 145–146overview of, 142value of, 144
IP stack emulation inconfiguration of, 159overview of, 143
level of interaction of, modification of, 143–144
logging with, 163, 164fmaintenance of, 162–163misconfiguration of, and risk, 165
network traffic forwarded to, 146–147, 147f (See also ARP spoofing)
operating systems emulation in, 143, 155
operation of, 145–157overview of, 142–143proxying in, 159f, 161–162response in, 154–157risk in using, 165scripts in, 160–161, 161fservice emulation in
configuration of, 159–160customization of, 142operation of, 145–146for response, 154–155scripts for, 160–161value of, 143–144
and sniffers, 164value of, 143–145virtual networks in, 162
Honeynet(s). See also GenI honeynets; GenII honeynets
activity on, generating, 263advantages and disadvantages of, 265,
275talerts in, 423–427as architecture, 238–239attacks on, analysis of, 365–366complexity of, risk from, 274comprehensiveness of, 237–238definitions for, 416deployment of, 263–265, 266f
for research, 362–364, 363fdescription of, 85–86distributed, 392–393domain names for, 262–263as early warning system, 235example attack on, 265–274, 273fexpected activity captured by, 274–275
Spitzner.book Page 438 Sunday, August 18, 2002 9:44 PM
439
IN D E X
false positives in, 235flexibility of, 265history of, 229–230information gathering with, 268level of interaction of, 229, 274maintenance of, 263–265, 364–365management of, networks for, 362monitoring, 264–265operation of, 238–242overview of, 229–231prevention with, value of, 231as production Honeypots, value of, 231production systems in, 229requirements for, 416–418as research Honeypots, 231–232, 278,
362deployment of, 362–364, 363f
for response development, 236–238response procedures for, 364risks with, 274–275standards for, 419–421as targets of choice, 262–263as test beds, 238, 364tool evolution and, 234–235trend analysis with, 235–236unknown exploits captured with,
232–233, 233f, 234fupdating, 365value of, 231–238virtual, 261–262
Honeynet Projectdata collection by, 50, 336, 336f, 366, 394formation of, 38, 230mission statement of, 230
Honeynet Research Alliance, 230–231, 392–393
Honeynet sensor, 256–259Honeyp.com, overview of, 341–342Honeyp.edu, overview of, 360
Honeypots. See also Production Honeypots; Research Honeypots
advantages of, 49–53as appliances, 390–391auto-rooter capture with, selection for,
361behavior of, modifying, 306blending into organization, 306–307compromise statistics for, 12–13concept of, 3–4, 41consent banners for, 376–379, 378fcontraband storage on, 382–383cost of, 52, 282, 285customized, 42–44, 43f, 350for data capture, in honeynets, 253data value in, 49–51, 50fdefinition of, 40, 387–388detection of, by attackers, 54, 349–350disadvantages of, 53–55for DMZ monitoring, 42, 43ffailures of, 8field of view of, 53–54fingerprinting of, 54–55, 305–307first documented, 35flexible use of, 41goals for, 277–280, 343–346, 361–362government use of, 394in honeynets, 253HTTP links to, 348–349integration of, with other technologies,
391–392legality of (See Legal issues)level of interaction of
for detection, 343–344selection of, 280–282, 361
location of, 286, 287f, 346–347, 347fmaintenance of, 352–356, 389–390management of
ease of, improving, 389–390
Spitzner.book Page 439 Sunday, August 18, 2002 9:44 PM
440
IN D E X
Honeypots. continuednetwork for, 296–298, 297f, 350–352,
351fand number, 286
misconceptions about, 9, 44, 388misconfiguration of, 284–285, 389–390mistakes in, 54number of, determining, 285–286,
346–347, 347foperating systems for, selection of, 280,
283–285, 361organizational limits on, 368–369port forwarding to, NAT for, 301–302,
303fprepackaged, increase in, 390–391prioritizing, for alerts, 313vs. production systems, 40realism in, 307resource exhaustion and, 51–52return on investment in, 52–53risk posed by, 55, 302–305in security policy, 70selecting, 280–285, 361–362simplicity of, 52with sniffers, 292, 292fspecialization of, 392–393timeline of, 33–34tool download with, 331unknown exploits captured by, 39updating, 338–339, 355–356value of, 359worm capture with, selection for, 281,
361HTTP (Hyper-Text Transfer Protocol)
automated attacks against, and port monitors, 171–172, 172f
in BackOfficer Friendly, 94, 97in Specter, configuration of, 124vulnerabilities in, 365
HTTP document, in Specter, 136HTTP server head, in Specter, 136Huger, Alfred, 5
IiButton, 198–199, 207, 223ICMP packets
for fingerprinting, 118, 333–335, 335fin Honeyd, 144, 163, 164f
IIS (Microsoft Internet Information Server)CodeRed and, 19–21
IMAP (Internet Message Access Protocol), in BackOfficer Friendly, 98
IMAP4 (Internet Message Access Protocol), in Specter, 125
Implementation, for data capture, 291–295
Incident responsealerts in, 310BackOfficer Friendly for, value in, 91data control in, 319developing, honeynets for, 236–238in DMZ, 66evidence collection in, 64–65in GenII honeynets, 259in Honeyd, 154–157Honeypots for, 278
alerts from, and production services, 353
attacks on, 356–357deployment of, 346–347, 347feffectiveness of, optimizing, 348–349location of, 287f, 289purpose of, 344–345response procedure for, 317, 355selecting, 279
and information sharing, 237with jails, 185level of interaction and, 345
Spitzner.book Page 440 Sunday, August 18, 2002 9:44 PM
441
IN D E X
ManTrap for, 198, 345–346preparation for, 67–68procedures for
active value of, 316–317development of, 355documenting, 318–319for honeynets, 364options for, 315–316passive, 317
in production Honeypots, 66purpose of, 64remote access in, 319roles in, 318
Incidents.org, 179, 366, 394Information gathering. See also Data
entrieswith BackOfficer Friendly, 100–101with high-interaction Honeypots, 82with Honeyd, 163–165with honeynets, 268with jails, 189–190by level of interaction, 77, 77twith low-interaction Honeypots, 79in ManTrap, 214–215with medium-interaction Honeypots, 81with Specter, 112–113, 124–126, 129,
134–138Installation
of BackOfficer Friendly, 95, 96f, 104of high-interaction Honeypots, 82of Honeyd, 157of jails, 187–188by level of interaction, 77, 77fof low-interaction Honeypots, 78of ManTrap, 205–211of medium-interaction Honeypots, 81of Specter, 119
Intelligence Gathering, in Specter, 135–137
Internal networkconnection from, 358–359monitoring of, 42–44, 43f
Internet Chat Relay. See IRCInternet Message Access Protocol. See
IMAPIntrusion Detection System (IDS)
adoption of technology, 388alerts from, 222–223data aggregation with, 61data capture by, 250–253, 252fdeployment and, 362for detection, 59evasion of, 61false negatives in, 60–61false positives in, 59–60and firewalls, combining, 256for honeynets, and deployment, 362integration of, with Honeypots, 392interface of, 250–251method used by, 60remote logging with, 253resource exhaustion and, 51role of, 251as sniffers, 222–223Specter as, 112in trend analysis, 235updating, 365use of, 41
Intrusion Detection Systems gateway. See also Hogwash IDS gateway
advantages of, 257–259alerts from, 266–267, 267fin GenII honeynets, 257maintaining, 264signature database of, 257
IP addressesaliased, 51binding (See ARP proxy)
Spitzner.book Page 441 Sunday, August 18, 2002 9:44 PM
442
IN D E X
IP addresses continuedemulation of, in Honeyd
ARP proxy for, 153–154, 154foperation of, 146overview of, 142value of, 144–145
logging, with Snort, 328and MAC identifiers, association of,
150, 150fmonitoring, with Honeyd
operation of, 145–146overview of, 142value of, 144
in network layer, 149vs. resolved names, in data capture, 295source, analysis of, 320–324, 321f, 323f,
324ftranslation of, NAT for, 298
IP protocols, 411–413IP stack, emulation of
in Honeyd, 143, 156–157, 156f, 159and Specter, 118–119, 138
IPTables firewall, for GenI honeynets, 246IRC (Internet Chat Relay)
capture of, 377, 379definition of, 1in DoS attacks, 27as exploit resource, 15in hacking community, 1–2
JJail(s). See also Homemade Honeypots;
ManTrap cagesvs. chroot, 184concept of, 169configuration of, 187–188customizable, 183deception with, 184–185definition of, 36
deployment of, 188description of, 182for detection, 185detection of, by attackers, 190disadvantages of, 186flexibility of, 184–186information gathering with, 189–190installation of, 187–188level of interaction in, 184logging in, 189maintenance of, 188in medium-interaction Honeypot, 80monitoring, 189–190, 189foperating systems for, 184operation of, 186–187original use of, 182–183vs. port monitors, 169as research Honeypots, 185–186for response, 185risk with, 55, 190–191value of, 184–186
Jail breaking, risk of, 190–191, 226–227
KKernel
for data capture, 260definition of, 201in ManTrap, 201–202, 214–215rootkits for, 271
Kernel modification, use of, 30Keystroke capture
for data analysis, 329, 358for data collection, 268–269with GenII honeynets, 260with Intrusion Detection Systems, 251in ManTrap, reviewing, 219–220, 220fremote forwarding of, 254, 254fin security policy, 368–369
Keystroke reply, in ManTrap, 224–225, 224f
Spitzner.book Page 442 Sunday, August 18, 2002 9:44 PM
443
IN D E X
Know Your Enemy (Honeynet Project), 38, 230
LLaBrea Tarpit, for internal network
monitoring, 43Leaves worm, capture and analysis of,
38–39, 178–181Legal issues, with Honeypots
consent and, 376–379data collection and, 375–376entrapment and, 380–381liability and, 381–383organizational, 368–369precedent in, 369–371privacy and, 371–374Service Provider Protection exception
and, 379–380variables in, 367–368
Level of interactiondefinition of, 73guidelines for, 281–282in Honeyd, modification of, 143–144in honeynets, 229, 274, 345in Honeypots
for detection, 343–344selection of, 280–282, 361
in jails, 184in ManTrap, 193risk in, 281, 303–304tradeoffs between, 74, 76–77, 77t
Liability, legal issues of, 381–383Link layer, purpose of, 148f, 149localhost, for Honeypot attack, 105Log(s)
aggregation of, 295–298in BackOfficer Friendly, 101–102,
399–405by firewalls, 250, 251f
integrity of, and iButton, 223by Intrusion Detection Systems,
250–251of IP addresses, 328by jails, 189by low-interaction Honeypots, in
trend analysis, 324–325by ManTrap cages
configuration of, 209–210, 209flocation of, 214–215
by ManTrap, reviewing, 217–218, 219fnetwork for, 296–298, 297f, 350–352,
351fprotection of, with iButton, 199remote (See Remote logging)by Snort, for data analysis, 327–329,
328f, 329f, 332, 333fby Specter, 132–138storage of, 298
Log Analyzer, for information gathering, in Specter, 132, 132f
Log serveralerts from, 352attacks against, 253for data capture
analysis of, 356–357for honeynets, 253, 266, 266f, 273, 363for Honeypots, 352–356maximizing, 293
encryption and, 273Loopback, use of, 202–204Low-interaction Honeypot
advantages and disadvantages of, 79capabilities of, 74–75, 78–79data analysis with, 320–324, 321f, 323f,
324fdefinition of, 74due diligence for, 382example of, 74–75, 74f, 78–79
Spitzner.book Page 443 Sunday, August 18, 2002 9:44 PM
444
IN D E X
Low-interaction Honeypot continuedvs. high-interaction Honeypots, 344, 345improvement of, future, 393logs of, for trend analysis, 324–325
Luckgo, 17Luckroot, 17–19, 18fLuckscan, 17Luckstatdx, 17
MMAC (modify, access, change), 65, 269MAC (Media Access Control) identifiers
composition of, 149–150in Ethernet, 149–151and IP addresses, association of, 150,
150fin ManTrap, 206unknown, finding, 151f, 152–153
Maintenancealerts in, 310data analysis in, 320ease of, improving, 389–390of high-interaction Honeypots, 82of Honeyd, 162–163of honeynets, 263–265, 364–365of Honeypots, 352–356of jails, 188by level of interaction, 77, 77fof low-interaction Honeypots, 78of ManTrap, 213–214of medium-interaction Honeypots, 81of Specter, 127–128
Managementof BackOfficer Friendly, 98–99ease of, improving, 389–390of honeynets, networks for, 362of Honeypots, network for, 296–298,
297f, 350–352, 351fand number of Honeypots, 286
ManTrap. See also iButtonactivity capture with
at application level, 220–221reviewing, 217–218, 219fvalue of, 198
advantages and disadvantages of, 227talerts in, 215–218, 216fcages in (See ManTrap cages)CGM in, 207–208complexity of, risk with, 226configuration of, 205–211, 208fdata integrity in, 223deployment of, 211–214description of, 85detection with, value in, 196–197file recovery in, 221–222file system in, 202–204, 203ffirewalls for, 225–226hardware requirements of, 206host system in (See ManTrap host
system)information gathering in, 214–215installation of, 205–211jail breaking in, 226–227kernel in, 201–202, 214–215keystroke capture in, reviewing,
219–220, 220fkeystroke reply in, 224–225, 224flevel of interaction of, 193limitations of, 194–195, 199–200logging in, reviewing, 217–218, 219fMAC identifiers in, 206operating system requirements of,
194–195, 199, 205–206operation of, 200, 200foverview of, 193–195prevention with, value of, 195–196process log in, alerts from, 217–218as research Honeypot, 198–199, 278
Spitzner.book Page 444 Sunday, August 18, 2002 9:44 PM
445
IN D E X
for response, 345–346response with, 198, 278, 279risk with, 225–227security testing with, 199services in, value of, 197sniffers and, 222–223
alerts from, 217value of, 196–197
vulnerabilities in, 195–196ManTrap cages. See also Jail(s)
alerting in, 209–210, 209fcompromising, 193, 195–196configuration of, 207, 208f, 209–210,
209fcustomization of, 207–208, 210–211deployment of, 211–212, 212ffile capture from, 221–222file system in, 202–204, 203f, 204fflexibility of, 194host file system in, 202–204, 203fidentification of, by attackers, 205, 226kernel sharing by, 201–202limitations in, 205logging in, 209–210, 209f, 214–215operation of, 200, 200f, 204–205, 205foverview of, 194
ManTrap host systembuilding, 206–207configuration of, 207, 208fcustomization of, 207deployment of, 212–213, 213ffile system in, 202–204, 203fkernel sharing by, 201–202operation of, 200, 200f
Mass-rooters, 19, 20f, 232–233, 233f, 234fMD5 checksum, as data analysis
preparation, 337Media Access Control identifiers. See
MAC identifiers
Medium-interaction Honeypot, 80–81, 393MEECES (Money, Ego, Entertainment,
Cause, Entrance), 27Memory, worms residing in, 38, 173MICE (Money, Ideology, Compromise,
Ego), 27Microsoft Internet Information Server
(IIS), CodeRed and, 19–21modify, access, change (MAC), 65, 269Motives, for attacks, 27–29, 69
NNAT (Network Address Translation),
298–301, 300f, 301f, 349National Infrastructure Protection
Center (NIPC), 39, 181NETBUS, in Specter, configuration of, 124netcat utility
and expected behaviors, 176–177, 179for port listening, in attacks, 331for port monitoring, 174–177, 175f,
176f, 177ffor remote connections, 179–180
NetFacade, 37NetForensics, for data storage, 298NetSec, 84netstat command, listening ports
identified withand BackOfficer Friendly, 94–95, 94f,
105, 105fand Specter, 115
Network(s). See also DMZ; Internal network
analysis of, Ethereal for, 331–332attack on, 359, 360fdiagrams of, notation for, xxiiunder ECPA, 374emulation of, 37for honeynet management, 362
Spitzner.book Page 445 Sunday, August 18, 2002 9:44 PM
446
IN D E X
Network(s). continuedfor Honeypot management, 296–298,
297f, 350–352, 351ffor logging, 296–298, 297f, 350–352, 351fnotation for, 141–142privacy on, 371virtual, in Honeyd, 162
Network Address Translation (NAT), 298–301, 300f, 301f, 349
Network captureand encryption, 272for file recovery, 271–272in honeynets, 267, 268f, 269–272, 270fin ManTrap, 214
Network Flight Recorder, 83Network Intrusion Detection System. See
Intrusion Detection SystemNetwork layer, purpose of, 148f, 149Network sweeps, covert, 50–51, 50fNetwork traffic
forwardingfuture solutions for, 392to Honeyd, 146–147, 147f (See also
ARP spoofing)with NAT, 301–302, 303f
monitoring, and encryption, 29–30Network Voice Protocol, as backdoor,
232–233, 233f, 234fNimda worm, 22–24NIPC (National Infrastructure
Protection Center), 39, 181Nmap, for fingerprinting, 118, 143, 155,
157, 158f
OOpen character, in Specter behavior
settings, 121, 122fOpen option, for service emulation, in
Honeyd configuration, 160
Open sockets. See Port listenersOpenSource, definition of, 142Operating systems
configuration of, and familiarity, 284emulation of
in Honeyd, 143, 155, 156–157, 156fin medium-interaction Honeypot, 80in Specter, 111–112, 115–118, 116f,
117f, 120–121, 138fingerprinting of
for data analysis, 332–335, 334f, 335fand Honeyd, 155–156
for Honeypots, 344, 345selection of, 280, 283–285, 361
and ManTrap, 193–195, 199, 205–206risk to, 137–138, 181–182securing, for risk mitigation, 304, 357updating, 338, 365
Outbound traffic. See also Data controlalerts for, 248–249, 249f
prioritizing, 312–313, 313fallowing, 8controlling with routers, 248firewall for, 6in GenI honeynets, 244–248honeynet sensor and, 258–259in honeynets, 363–364limiting, 245–246, 363–364necessity of, 245risk of, 225–226, 255
PPacketing, as motive for attack, 27Palisade Systems, 391Passive OS fingerprinting
for data analysis, 332–335, 334f, 335fand Honeyd, 155–156in Honeypot appliances, 390
Password(s), failure of, 59
Spitzner.book Page 446 Sunday, August 18, 2002 9:44 PM
447
IN D E X
Password files, downloading, 110, 114, 117–118
configuration for, 125–126Pen Register/Trap and Trace Statute (Pen/
Trap), privacy under, 372, 374–380Platform. See Operating systemsPolitical motives, for attacking, 28POP3
in BackOfficer Friendly, 94, 98in Specter, configuration of, 124
Port forwarding, NAT for, 301–302Port listeners
in BackOfficer Friendly, 93–94netcat for, in attacks, 331in Specter, 113for worm capture, selection for, 281–282
Port misconfiguration, 357Port monitors. See also Homemade
Honeypots; netcat utilitycapture with, 172–173, 181definition of, 168detection with, 170–172, 172femulation capabilities in, 177–181vs. jails, 169overview of, 169–170as research Honeypots, 170, 181risk associated with, 181–182service emulation in, 180–181value of, 170–173
Portscan, in Specter, for information gathering, 136
Prevention. See also Deception; Deterrence
with BackOfficer Friendly, 91definition of, 56Honeypots for, 278, 287–288, 287fwith ManTrap, value of, 195–196production Honeypots in, 56–58
Privacy, in Honeypot legal issues, 371–374
Private addressing (RFC 1918), definition of, 298–299
Process log, alerts from, 217–218, 219fProduction Honeypots. See also
Detection; Incident response; Prevention
detection problems addressed by, 61–62for DMZ monitoring, 62–63, 63ffor evidence collection, 66field of view of, 64Honeyd as, 142honeynets as, 231incident response in, 66, 67fjails as, 184location of, 286number of, determining, 285in prevention, 56–58purpose of, 44–45, 55vs. research Honeypots, 46role of, defining, 278–279specialization of, 392–393use of, 69value of, 278
Production networksGenII honeynets in, 257, 258fHoneyd deployment on, 163
Production systemsin honeynets, 229and Honeypots, 40, 348retiring, as Honeypots, 42, 43fspoofed attacks from, 54
Propagation, and multiple vulnerability scans, 22–24
Provos, Niels, 84, 142Proxying, in Honeyd, 159f, 161–162
Rrain forest puppy, Windows Web Server
emulation script by, 161
Spitzner.book Page 447 Sunday, August 18, 2002 9:44 PM
448
IN D E X
Random character, in Specter behavior settings, 123
Ranum, Marcus, 38, 83Recourse, 85Red Hat Linux, 6, 7f, 12Remote alerts, in Specter, 113Remote connections, 179–180, 319, 331Remote logging, 253, 266Remote management
and BackOfficer Friendly, 98–99of ManTrap, 213–214, 213fof Specter, 127, 128f
Research Honeypotsadvanced blackhats studied with, 395–396alerts in, 310BackOfficer Friendly as, 91–92commercial use of, 394in distributed environments, 396–397for early warning and detection, 69, 394fingerprinting of, 54honey cards used in, 395–396Honeyd as, 142honeynets as, 231–232, 362Honeypots for, 278jails as, 185–186location of, 286, 287f, 290–291ManTrap as, 198–199number of, determining, 285port monitors as, 170, 181vs. production Honeypots, 46purpose of, 44–46, 68response procedure for, 317, 327role of, defining, 279specialization of, 392–393Specter as, 112–113, 134trend analysis with, 235unknown exploits identified with, 396uses of, 69–70value of, 278
Reset option, for service emulation, 160Resolved names, vs. IP addresses, in data
capture, 295Resource exhaustion, Honeypots and,
51–52Response. See Incident responseReturn on investment, in Honeypots,
52–53Risk
from auto-rooters, 29and BackOfficer Friendly, 102with high-interaction Honeypots, 82and Honeyd, 165with honeynets, 274–275with Honeypots, 55with Honeypots, mitigating, 302–305,
349–350identification of, with BackOfficer
Friendly, 92–93with jails, 55, 190–191and level of interaction, 77, 77f, 281with low-interaction Honeypots, 78with ManTrap, 225–227with medium-interaction Honeypots,
81and Specter, 137–138updating and, 338
Roesch, Marty, 37Rootkits, 2, 271Routers, 248, 294rpc.statd exploit, 2, 17RST packets, closing connection with, 98,
99fRussell, Ryan, 174
SSalgado, Richard, 370–371Scanning, 13, 21–22Screen shots, remote forwarding of, 254
Spitzner.book Page 448 Sunday, August 18, 2002 9:44 PM
449
IN D E X
Script(s)for attacks, 366in Honeyd, 160–161, 161ffor ManTrap cage customization, 210
Script kiddies, 11–12, 14Script option, for service emulation, 160Secure character, in Specter behavior
settings, 121Secure Shell (SSH), 125, 365Security policy, 70, 316, 368–369Security testing, with ManTrap, 199SecurityFocus.com, 174, 366, 394Sendmail Honeypot, 169September 11, 2001, hacking after, 28Service Provider Protection exception,
379–380Services
emulation ofin BackOfficer Friendly, 98, 102in Honeyd (See Honeyd, service
emulation in)with port monitors, 180–181in Specter, 110–111, 123–124, 125f
in ManTrap, value of, 197vulnerable, 14, 182–183
SESSION files, for keystroke capture, 329–330, 330f
Short Mail, 129, 130, 130fSignatures
in Honeypot detection, 349–350in Intrusion Detection Systems
gateway, 257, 264in jail identification, 190
Silk Rope, for Back Orifice, 89Simple Mail Transfer Protocol. See SMTPSmoke Detector Honeypot appliance, 391SMTP (Simple Mail Transfer Protocol)
in BackOfficer Friendly, 94, 97in Specter, configuration of, 123
SMTP banner, in Specter, for information gathering, 136
Sniffers. See also Snortand Honeyd, 164with Honeypots, 292, 292fIntrusion Detection Systems as,
222–223for jails, 189, 189fManTrap and, 196–197, 217, 222–223syslog information capture with, 293
Snort. See also Hogwash IDS gatewayconfiguration file for, 329, 407–409for data capture, 266, 267, 267fdevelopment of, 37as honeynet Intrusion Detection
System, 252–253with Honeypots, 292, 292ffor jails, 189, 189fkeystroke capture with, 329–330, 330flog capture of, for data analysis,
327–329, 328f, 329f, 332, 333fpacket payload from, 329timestamping in, 330
Song, Dug, on blackholing, 144–145Specter
advantages and disadvantages of, 138talerts in, 113, 126–127, 129–131, 130f,
131fvs. BackOfficer Friendly, 110behavior setting in, 114–115character in, configuration of,
121–123, 122f, 123fconfiguration of, 119, 120f
for alerts, 126–127character in, 121–123, 122f, 123finformation gathering in, 124–126operating system emulation in,
120–121password files in, 125–126
Spitzner.book Page 449 Sunday, August 18, 2002 9:44 PM
450
IN D E X
Specter continuedservice emulation in, 123–124, 125ftraps in, 124–125
customizing, 112, 350deception with, 112, 114description of, 84deterrence with, 112, 114–115effectiveness of, optimizing, 348–349fingerprinting of, 112, 118–119flexibility of, 112information gathering with, 112–113,
129, 133–137configuration of, 124–126risk in using, 136–138
initialization of, 127installation of, 119IP stack emulation and, 118–119, 138level of interaction of, 110operating system emulation in,
111–112, 115–118, 116f, 117fconfiguration of, 120–121risk in, 138
operation of, 115–119overview of, 109–112password files in, 110, 117–118,
125–126port listeners in, 113, 115–118prevention with, 278remote management of, 127, 128fas research Honeypot, 112–113, 132risk from using, 137–138service emulation in, 110–111, 111f,
123–124, 125fsystem requirements for, 109traps in, 111, 124–125updating, 339value of, 112–115vulnerability emulation in, 110, 111f,
114
Spoofing. See specific typesSSH (Secure Shell), 125, 365State law, consent under, 377Stoll, Clifford, hacker tracking by, 34–35strace(1), for jail monitoring, 190Strange character, in Specter behavior
settings, 114, 122Sub7 Trojan
and Leaves worms, 38–39, 178–181overview of, 178, 179fin Specter configuration, 125
SUN-RPC, in Specter configuration, 125Swatch, for syslog monitoring, 164–165,
352Syslog/syslogd
disabling, 253in Honeyd, 163–165, 164fmaximizing, 293and sniffers, 293in Specter, 135, 135f
System, 6, 14System, compromised. See Compromised
systemsSystem logs
data aggregation with, 61maintaining, 264reviewing, 267, 267f, 356–357, 358
System processes, in ManTrap cages, 204–205, 205f
TTargets of choice
deception and deterrence and, 57GenI technologies and, 243hacking, 25–27honeynets as, 262–263
Targets of opportunity. See also Auto-rooters; Worm(s)
deception and deterrence and, 57
Spitzner.book Page 450 Sunday, August 18, 2002 9:44 PM
451
IN D E X
GenI technologies and, 243hacking, steps in, 14–15
TASK, for forensic analysis, 332TCP/IP protocol suite, layers of, 148–152,
148fTelnet, 97, 123Telnet banner, in Specter, 136Templates, in Honeyd configuration, 158,
159fTest beds, honeynets as, 238, 364Testing, for risk mitigation, 305Time zones, in data capture, 241Timestamp, in Snort logs, 330Tiny Honeypot, 169"To Build a Honeypot," 230Tracer, for information gathering, 136Traceroute, for information gathering, 136Transactional data, under Wiretap Act
and Pen/Trap statute, 375Transport layer, purpose of, 148f, 149Traps, 111, 124–125Trend analysis
alerts archive in, 314–315data analysis in, 335with honeynets, 235–236with low-interaction Honeypot logs,
324–325Tripwire, for MD5 checksum, 337truss(1), for jail monitoring, 190TTY Watcher, for remote data capture, in
honeynets, 253–254
UUDP services, in Honeyd, 143–144Ullrich, Johannes B., 180–181Updates, 338–339, 355–356, 365Uptime, spoofing, in Honeyd, 162U.S. Constitution, privacy under, 372–374U.S. Patriot Act, privacy and, 380
User Mode Linux (UML), for virtual honeynets, 262
"Using Chroot Security" (Chuvakin), on jail breaking, 190–191
VVirtual honeynets, 261–262Virtual operating systems
in Honeyd, 143, 155, 156–157, 156fin medium-interaction Honeypot, 80in Specter, 111–112, 115–118, 116f,
117f, 120–121, 138VMWare, for virtual honeynets, 262Vulnerabilities
attack on, analysis of, 365–366emulation of, in Specter, 110, 111f, 114identification of, 14jails for, 182–183in ManTrap, 195–196, 216patches for, 25scanning for multiple, 22updates for, 338–339
WWhois, in Specter, for information
gathering, 136Wiretap Act (Title III), privacy under,
372, 374–380Worm(s)
capture of, 38, 69Honeypot selection for, 281, 361with netcat, 174–177, 175f, 176f, 177fwith port monitors, 172–173
capture statistics for, 13for CPU cycle takeover, 28definition of, 19devastation of, 19–21growth in, 38mutation of, 29
Spitzner.book Page 451 Sunday, August 18, 2002 9:44 PM