Jan
- June 2008 | Graphs
1.0
DEPLOYMENTS
1.1 Current technologies deployed.
Describe anything that you have deployed that is collecting
information, including honeynets, client honeypots, honeyd, mwcollect,
or anything else honeypot related.
Lebahnet current has the following
components:
- Roo and Nfsen for collecting
traffic in and out of the honeynet
- Sguil for managing the IDS alerts
- VMware running different instances
of Operating Systems
- Multiple deployment Nepenthes and
Amun for collecting malware, at least 3 nepenthes sensors are
submitting to mwcollect alliance
and the usual sanboxes (norman, anubis, sunbelt)
- Honeyd
- HIHAT for observing attack trends
to web applications
2.0
FINDINGS
2.1 Highlight any unique findings,
attacks, tools, or methods.
- Malware collection from Nepenthes
continues to grow from January to August 2008, the total unique
inaries acquired via our nepenthes sensors were more than 15,000. Most of
the nepenthes sensors are configured to submit the binaries to Norman
Sandbox, Anubis and Sunbelt
and a few other partners. We are particularly
interested to look at samples that are unique within to .MY
- We treat attempts to our honeypots
as incidents and report them to the respective CERTs, ISPs and relevant
parties via MyCERT
2.2 Any trends seen in the past six
months?
The relevant trends targeting our
Nepenthes sensors are available here:
3.0
LESSONS LEARNED
3.1 What new positive things can you
share with the community, so they can replicate your success?
Certain tools are not suitable for distributed deployment even after
tweaking. We basically learned that getting software work in a large and distributed manner requires
a lot of patience and of course time.
Hanging out and asking questions in the right
irc channel in #freenode certainly helps.
3.2 What new mistakes can you share
with the community, so they don't make the same
mistakes?
None at this point.
3.3 Are there any research ideas you
would like to see developed?
None at this point
4.0
TECHNOLOGY
4.1 What tools or functionality are we
lacking, what do we need to work on?
Roo might be more useful if it could
be deployed for a distributed architecture out of the box.
However, we
manage to ask around for custom scripts.
4.2 What new tools or technology are
you working on?
Nothing specific, we are currently hacking solutions for processing data gathered so that they could be used or presented better
4.3 Would you like to integrate this
with any other tools, or you looking for help or collaboration with
others in testing or developing the tool?
5.0
PAPERS AND PRESENTATIONS
5.1 Are you working any papers to be
published, such as KYE or academic papers?
None at the moment
5.2 Are you looking for any data or
people to help with your papers?
No.
5.3 Where did you publish/present
honeypot-related material?
- We shared some
information on this project at the FIRST NM-SIG meeting at GovCERT.NL
last year (2007)
- We had conducted some
hands-on training/workshops on some of the tools we used like Nepenthes (FIRST-TC in Doha 2007), Honeywall (FIRST-TC KL in 2007) and Sguil at FIRST
Technical Colloquium in Tokyo (2008) and Asia Pacifc CERT Conference in Hongkong (2008)
6.0
ORGANIZATIONAL
6.1 Changes in the structure of your
organization.
None
6.2 Your feedback on Alliance
activities.
6.3 Any suggestions for improving the
Alliance?
7.0
GOALS
7.1 Which of your goals did you meet
for the last six months?
Honeynet infrastructure expanded
according to our plan for the first 6 months.
7.2 Which of your goals did you not
meet for the last six months?
None
7.3 Goals for the next six months
- Replacing stand alone
nepenthes deployments with SURF-IDS
- Started to work on a
reporting and visualization of data to the honeynet
- More automatation in
terms of visualization of the data acquired and integration with our
incident managemement tools
8.0
MISC ACTIVITIES
8.1 Anything else not covered you
would like to share.
None
