P. 1
Jan Gerrit Göbel- Advanced Honeynet Based Intrusion Detection

Jan Gerrit Göbel- Advanced Honeynet Based Intrusion Detection

|Views: 168|Likes:
Published by White909

More info:

Published by: White909 on Dec 01, 2011
Copyright:Attribution Non-commercial

Availability:

Read on Scribd mobile: iPhone, iPad and Android.
download as PDF, TXT or read online from Scribd
See more
See less

12/05/2011

pdf

text

original

Nepenthes is a flexible, modular written, low-interaction Honeypot, capable of collecting
malware in an automated manner. New vulnerability modules can easily be written and
integrated, to keep up with the fast changing spreading mechanisms of todays network
worms, as we showed with the implementation of the vuln-exchangepop3 module. In
addition to the identification of hostile hosts, malicious software is downloaded for further
analysis, by different utilities like the CWSandbox. For this reason, we also implemented
the NepVirus script, which regularly scans the collected binaries for known types of
malware, by utilising three common anti-virus applications: AntiVir, BitDefender and
Clam AntiVirus. Additionally, we developed a simple web interface to browse through
the collected data and the analysis reports. These generated statistical information can
be used to determine new trends in computer crime.

With the help of the log-blastomat modul, we were able to integrate Nepenthes as an
intrusion detection sensor, into the distributed Blast-o-Mat system. Consequently, pro-
viding an efficient and accurate detector for infected hosts, within the campus network
of RWTH Aachen University. During the time of the diploma thesis, we deployed three
different Nepenthes sensors, two of them captured external data from the Internet and
the third one, as part of the Blast-o-Mat notification and handling system, collected
data from internal hosts, belonging to RWTH network. With over 16.000 IP addresses,
divided among the three sensors, we were able to collect about 5.000 unique binaries
within the past six month. During the four month of actively monitoring infected hosts,
by the new Blast-o-Mat system, the Nepenthes sensor successfully detected over fifty con-
taminated machines. Therefore, we can conclude from the results, that low-interaction
Honeypots, such as Nepenthes, make a great enhancement to any standard intrusion
detection mechanism.

Besides the standard vulnerability modules, we also presented the vuln-logssh and vuln-
smtp modules. The first is used to collect all kinds of login and password combinations,
provided by the increasing number of SSH brute force attacks, we monitored during
the last months. The latter is an attempt to utilise Nepenthes in the area of SPAM
detection, by emulating an open mail relay. Both modules supplied interesting results
for further research. Especially in the area of password allocation, a Nepenthes system,
with installed vuln-logssh module, can greatly increase security, by eliminating the use
of weak passwords.

74

Chapter 5.

You're Reading a Free Preview

Download
scribd
/*********** DO NOT ALTER ANYTHING BELOW THIS LINE ! ************/ var s_code=s.t();if(s_code)document.write(s_code)//-->