Working with Honeypots and Honeynets
Problem
You want to use Snort with your honeypot or honeynet.
Solution
What are honeypots and honeynets? Why would you run one?
A honeypot is "a system whose value is being probed, attacked, or compromised" (project.honeynet.org). The Honeynet Project is a group of individuals who study honeynets from around the world. Different organizations have different uses for honeynet datafrom research and tactics in the case of the Honeynet Project to nabbing criminals, as is the case with some law enforcement and government agencies. A honeynet is a group or network of honeypots, which are usually either actual machines or virtual hosts, such as with a tool such as VMware. For the purpose of this discussion, most organizations use honeypots or honeynets only for research such as studying attackers' tactics. If your organization employs legal honeypots (nets), your corporate legal department should be consulted with first.
There are three great uses for Snort when it comes to honeypots and honeynets:
- Use Snort as a simple sniffer or packet logger to monitor attacker activity.
- Use Snort as a network IDS to log and alert on attacker activity.
- Use Snort Inline as an IPS to control outgoing packets from a honeypot/honeynet and nullify attacker attempts.
Discussion
Snort is great for recording all traffic entering and exiting your honeypot or honeynet. The simplest way to use it is in passive mode via a switch span port or a network tap. This allows Snort to stealthily capture any attacker activity. In this scenario, you can use Snort in any of its three modes, depending on your needs: packet sniffer, packet logger, or NIDS. A newer approach to integrating Snort with honeynets is with Snort Inline. Snort Inline sits between network segments and acts as a layer 2 bridge, passing traffic between interfaces. Once again, Snort is stealthy in this mode because it does not have an IP address and does not add a hop in the network, making it virtually undetectable. Snort Inline also provides intrusion prevention system (IPS) technology. This can mitigate or nullify attacks as they occur, without the attacker's knowledge. It runs on a Linux system and uses iptables packet queuing to collect and make decisions about packets as they traverse the system's interfaces. Using Snort on a production network, as an IPS allows you to block attacks or replace the content in them to nullify the attack. Using Snort Inline's additional rule actions does this:
drop
Drops the packet using Iptables and logs via Snort
reject
Drops the packet using Iptables and logs to syslog, then the communication is closed by either TCP RST for TCP sessions or an ICMP port-unreachable message for UDP
sdrop
Drops the packet using Iptables but does not log itreplace
replace
The rule language reference with the ability to replace hostile text with the same size harmless text in payload when running Snort inline
Snort Inline can be used to control outgoing packets from a honeypot or honeynet. If a honeypot is compromised by a worm or similar attack, Snort Inline can use its new rule keywords to keep the worm from propagating outside of the network. It can also keep an attacker from using a compromised honeypot to attack other systems outside the network. Even more beneficial is the replace keyword. By replacing the content of the attack as it traverses the network, the attacker will not know why the attack isn't working, giving the IDS team more time to analyze attacker behavior and techniques. Since all Snort Inline actions are logged, this gives the team an abundance of valuable information for analysis, including types of attacks, attack tools, and attacker skill sets.
The following is an example of a Snort Inline rule to drop packets:
drop tcp $HOME_NET any $EXTERNAL_NET 53 (msg:"DNS EXPLOIT named"; flags: A+; content:"|CD80 E8D7 FFFFFF|/bin/sh";)
The following is an example of a Snort Inline rule to change packet contents:
alert tcp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"DNS EXPLOIT named"; flags: A+; content:"|CD80 E8D7 FFFFFF|/bin/sh"; replace:"|0000 E8D7 FFFFFF|/ben/sh";)
The Honeynet Project has been using Snort Inline extensively and has incorporated it into their Honeywall CD-ROM. Some of the Snort Inline functionality also has been incorporated into the Snort 2.3 release; however, it continues to refer to the Snort Inline project for the latest features and advancements. When working with honeypots and honeynets, always remember to consult your organization's legal department and get permission first!
See Also
http://project.honeynet.org
http://snort-inline.sourceforge.net/
Performing Forensics Using Snort |
Installing Snort from Source on Unix
- Installing Snort from Source on Unix
- Installing Snort Binaries on Linux
- Installing Snort on Solaris
- Installing Snort on Windows
- Uninstalling Snort from Windows
- Installing Snort on Mac OS X
- Uninstalling Snort from Linux
- Upgrading Snort on Linux
- Monitoring Multiple Network Interfaces
- Invisibly Tapping a Hub
- Invisibly Sniffing Between Two Network Points
- Invisibly Sniffing 100 MB Ethernet
- Sniffing Gigabit Ethernet
- Tapping a Wireless Network
- Positioning Your IDS Sensors
- Capturing and Viewing Packets
- Logging Packets That Snort Captures
- Running Snort to Detect Intrusions
- Reading a Saved Capture File
- Running Snort as a Linux Daemon
- Running Snort as a Windows Service
- Capturing Without Putting the Interface into Promiscuous Mode
- Reloading Snort Settings
- Debugging Snort Rules
- Building a Distributed IDS (Plain Text)
- Building a Distributed IDS (Encrypted)
Logging to a File Quickly
- Logging to a File Quickly
- Logging Only Alerts
- Logging to a CSV File
- Logging to a Specific File
- Logging to Multiple Locations
- Logging in Binary
- Viewing Traffic While Logging
- Logging Application Data
- Logging to the Windows Event Viewer
- Logging Alerts to a Database
- Installing and Configuring MySQL
- Configuring MySQL for Snort
- Using PostgreSQL with Snort and ACID
- Logging in PCAP Format (TCPDump)
- Logging to Email
- Logging to a Pager or Cell Phone
- Optimizing Logging
- Reading Unified Logged Data
- Generating Real-Time Alerts
- Ignoring Some Alerts
- Logging to System Logfiles
- Fast Logging
- Logging to a Unix Socket
- Not Logging
- Prioritizing Alerts
- Capturing Traffic from a Specific TCP Session
- Killing a Specific Session
How to Build Rules
- How to Build Rules
- Keeping the Rules Up to Date
- Basic Rules You Shouldnt Leave Home Without
- Dynamic Rules
- Detecting Binary Content
- Detecting Malware
- Detecting Viruses
- Detecting IM
- Detecting P2P
- Detecting IDS Evasion
- Countermeasures from Rules
- Testing Rules
- Optimizing Rules
- Blocking Attacks in Real Time
- Suppressing Rules
- Thresholding Alerts
- Excluding from Logging
- Carrying Out Statistical Analysis
Detecting Stateless Attacks and Stream Reassembly
- Detecting Stateless Attacks and Stream Reassembly
- Detecting Fragmentation Attacks and Fragment Reassembly with Frag2
- Detecting and Normalizing HTTP Traffic
- Decoding Application Traffic
- Detecting Port Scans and Talkative Hosts
- Getting Performance Metrics
- Experimental Preprocessors
- Writing Your Own Preprocessor
Managing Snort Sensors
- Managing Snort Sensors
- Installing and Configuring IDScenter
- Installing and Configuring SnortCenter
- Installing and Configuring Snortsnarf
- Running Snortsnarf Automatically
- Installing and Configuring ACID
- Securing ACID
- Installing and Configuring Swatch
- Installing and Configuring Barnyard
- Administering Snort with IDS Policy Manager
- Integrating Snort with Webmin
- Administering Snort with HenWen
- Newbies Playing with Snort Using EagleX
Generating Statistical Output from Snort Logs
- Generating Statistical Output from Snort Logs
- Generating Statistical Output from Snort Databases
- Performing Real-Time Data Analysis
- Generating Text-Based Log Analysis
- Creating HTML Log Analysis Output
- Tools for Testing Signatures
- Analyzing and Graphing Logs
- Analyzing Sniffed (Pcap) Traffic
- Writing Output Plug-ins
Monitoring Network Performance
- Monitoring Network Performance
- Logging Application Traffic
- Recognizing HTTP Traffic on Unusual Ports
- Creating a Reactive IDS
- Monitoring a Network Using Policy-Based IDS
- Port Knocking
- Obfuscating IP Addresses
- Passive OS Fingerprinting
- Working with Honeypots and Honeynets
- Performing Forensics Using Snort
- Snort and Investigations
- Snort as Legal Evidence in the U.S.
- Snort as Evidence in the U.K.
- Snort as a Virus Detection Tool
- Staying Legal
Index
EAN: 2147483647
Pages: 167
