| ||||||||||||
| |||||
SafeBack software
website address, 308
SANS
website address, 318
Sbk_extract tool
for collecting Sebek packets for analysis, 278
Sbk_ks_log.pl
Perl script for displaying attacker keystrokes on the screen, 278
Sbk_upload.pl
Perl script that uploads Sebek packets for advance analysis, 278
scanning scripts
use of in blended attacks, 31
scenarios
for sim standard server listener ports, 201
script files
steps for downloading for Honeyd, 146
script languages
common, 168–170
scripts. See Honeyd service scripts; service scripts
\scripts folder
Honeyd Windows version default scripts in, 172
Search or Find Files and Folder Windows feature
using to find files modified since a certain date, 312
Sebek
monitoring tool for Windows honeypots, 277
website address, 23, 277
Sebek server
tools that make up, 278
Secure Hash Signature Generator
website address, 312
SecurIT Informatique Inc. utilities
example of several monitoring system processes, 282
for honeypot or IDS data collection, 281–282
others available, 282
website address, 281
SecurIT Intrusion Detection Kit
components of, 282
security
automating, 119–120
using honeypots to improve, 10
Security Assertion Markup Language (SAML)
website address, 291
security audit files
events of interest in, 292–293
security event logging
of data captured from honeypot monitoring systems, 284–285
importance of for honeypots, 285–286
useful information extraction from, 294
Security Event Management. See SEM (Security Event Management)
security event manager
Activeworx Security Center (ASC) as, 293–294
Security Incident Management. See SIM (Security Incident Management)
security logs
noise on, 6
security monitoring tools
as protection for monitoring communications, 284
security patches. See Microsoft patches
security roll-ups, 101
security updates or hot fixes, 101
SecurityProfiling, Inc.
website address, 121
sed
website address for downloading Windows version, 188
SEM (Security Event Management)
vendors, 294
Sendmail utility
function of, 283
setting up a spam tarpit with, 215
website address, 215
sequence number field
in TCP, 233
server ports
list of common complex Exchange Server, 71–72
list of common IIS, 69
list of common simple Exchange Server, 71
list of common SQL Server, 70
list of generic, 68–69
SERVER variable
using in Snort, 258
ServerSentry utility
website address, 299
service accounts
configuring to protect your honeypot, 115–117
service pack patches, 101
service scripts
See also Honeyd service scripts
adding to Honeyd templates, 159
in Honeyd, 167–188
session layer
in OSI model, 229
SET command
for associating a template with a personality, 157
SFind utility
for listing NTFS alternate data streams and their access times, 313
SHA-160 Hash utility
function of, 283
shareware
defined, 122
shell command language
using for Honeyd service scripts, 168
website address for information about, 168
Showacls.exe utility
for checking permissions, 314
ShoWin utility
function of, 281
SIM (Security Incident Management) vendors, 294
sim banner servers
in KFSensor honeypot, 199–200
list of banner parameters, 200
sim (simulated) servers
in KFSensor honeypot, 198–208
sim standard servers
emulated services included with, 201
in KFSensor honeypot, 200–201
simple ports
defined, 131–132
Simple TCP/IP services
provided in a TCP/IP add-on component, 78
slack space
storage of malicious code in by hackers, 345
Slammer worm
website address, 303
Small Is Beautiful (SIB) assembly language starter kit
by Steve Gibson, 353
SMB protocol
as workhorse of NetBIOS, 73
SMTP sim standard server
example of screen, 204
SMTP tarpit
Jackson tarpit as, 215
smtp.sh script
website address, 180
Smurf amplification
use of ICMP by hackers for, 237
Smurf attacks
website address for information about, 237
snapshot software. See integrity checkers (snapshot software)
snapshot utilities
website addresses for free, 23
sniffers
availability of, 224
benefits of using in a honeypot environment, 223–225
vs. IDSs, 223–224
sniffers and IDSs
how they complement each other, 226
where to place them, 226
Snort
benefits of using in a honeypot environment, 225–226
binary log file, 256
command for fastest performance, 255
configuring, 252–268
configuring the configuration file, 257–264
creating a Snort.bat file, 267
deciding what you want it to do, 253–256
default variables list, 257
defining variables in, 257
directories and their functions, 252
example of alert file, 262
example of rules from Snort’s Web-IIs.rules rule set, 262
exiting to finish with a packet statistics screen, 255
in full packet capture mode, 255
function of, 250–268
installing, 252
list of some preprocessors, 259
packet pathway, 251
sample configuration file, 265–267
steps for configuring the first time, 252
steps for installing, 146–147
syntax for configuring preprocessors, 260
understanding how it works, 250–251
website address for community support, 250
website address for downloading, 146
website address for downloading GUI-based installers and management tools for, 268
Snort configuration file
configuring, 257–264
sample of, 265–267
testing, 267
Snort GUI ISDcenter configuration console
from Engage Security, 296
Snort network IDS mode
putting Snort into, 256
Snort output plug-ins
function of, 264
Snort packet dump mode
command-line switches, 253–254
fields captured on TCP packets, 254
Snort point-and-click
using, 268
Snort rules
function of, 260
syntax fields list, 262
syntax for typical, 260
Snort rule sets
list of default, 263
Snort.bat file
creating, 267
Snort-inline
website address, 52
software
restricting unauthorized execution of on honeypots, 106–117
software interrupts. See BIOS interrupt routines
Software Restriction Policies (SRP)
for preventing unauthorized software execution, 107
software solutions
for hiding honeynet monitoring devices, 42–43
Software Update Services (SUS). See Microsoft Software Update Services (SUS)
SONET backbone
function of, 224–225
spam malware
effect on open relays, 207
spam tarpits
setting up, 215
spammers
how they work and the damage they do, 206–207
using Jackpot tarpit to slow down and frustrate, 9
SPECTER honeypot
characters available for each emulated OS, 193
function of, 192–195
installing and setting up, 193–194
Log Analyzer tool, 195
logging and alerting with, 194–195
main Control screen, 194
on-screen log, 195
traps and services, 192
website address, 192
SpinRite
for recovering damaged hard drive data, 339
Spitzner, Lance
Honeypots book by, 21
Know Your Enemy honeypot book by, 8
SPORT
memory variable useful in scripts, 171
SpyAgent software
for checking for IM services hacker activity, 317
spying programs
website addresses for, 317
SQL Server ports
list of common, 70
SQL Slammer worm
defenses against, 10
detection of, 7
function of, 30
SRP. See Software Restriction Policies (SRP)
Ssed program
for extracting text, 318
using, 188
SSH programs
for protecting monitoring communications, 284
SSH test script, 172–173
stack
popping and pushing of information to, 348
Startup type settings. See Windows Services Startup type settings
static linking
defined, 342
STDERR (standard unbuffered output stream for writing errors)
in Honeyd, 171
STDIN (standard input stream)
in Honeyd, 170
STDOUT (standard buffered output stream)
in Honeyd, 170
stealth mechanisms
used by malware to hide infection, 358
sticky honeypots
preventing malicious activity with, 9
Stoll, Clifford
The Cuckoo’s Egg by, 20
STOP error
creating intentionally, 305–306
stream4 preprocessor
in Snort, 259
string analysis
performing on packets, 311
Strings.exe program
example revealing text strings in a malicious file, 350
searching for ASCII text with, 350
website address, 311, 350
SubSeven emulation service
used by PatriotBox honeypot, 212
SuperDIR
website address, 312
switches. See Ethernet switches
Symantec’s Norton Ghost
for making copies of a hard drive, 306
using to restore honeypots, 16
Symantec’s Norton System Utilities
disk editor program, 314
SYN (Synchronization) flag
in TCP, 234
SYN flood DoS attack
use of by hackers, 235
Sysdiff
website address, 23, 272
Sysinternal PsTools utilities
list and functions of, 280
Sysinternal utilities, 278–280
website address, 278
Sysinternal’s AccessEnum utility
for listing who has permissions to files, Registry keys, and folders, 314
Sysinternal’s Hex2dec
using as hexidecimal-to-decimal converter, 318
Sysinternal’s Hostname utility
for resolving an IP address to a domain name, 311
Sysinternal’s PendMove utility
checking for OS pending file changes with, 319
Sysinternal’s Stream program
for listing any hidden NTFS streams by file or directory, 313
Sysinternal’s Strings.exe program
for performing string analysis on network packets, 311
Sysinternal’s Strings utility
for searching for ASCII and Unicode strings, 318
Sysinternal’s TCPView utility
website address, 276
Syslog (system log daemon)
for collecting log files, 289–290
system network devices
for honeypots, 41–54
system variables
setting for Honeyd templates, 160
| |||||