Analysing malicious traffic

wolfric

Router picks up quite the collection of port scans and dos attempts etc. I'm interested in logging it and generating statistics. I was thinking of forwarding all traffic that isn't wanted to a dmz server with a honeypot or just general statistics running. Obviously I want to make especially sure if I set this up that it isn't going to become vulnerable. Wouldn't it be the icon of shame if I actually left something unpatched or setup the firewall wrong and ended up letting people in.

http://nepenthes.carnivore.it/ Here's something that came up at hope this year. I was thinking setting up something similar. It emulates a vulnerable server and collects data on attacks.

Anyone have any alternatives as well as advice and experience on the matter?

rfrederick

There are of couple of tools I can think of, though I haven't actually played with them yet. First is honeyd from the Honeynet Project (http://www.honeynet.org/project). honeyd has rather low interactivity with malicious traffic that it captures. The Honeynet Project also offers a number of highly interactive honeypot offerings as well, such as Honeywall. Another is Damn Vulnerable Linux (http://damnvulnerablelinux.org), a live CD Slackware-based distro that offers vulnerable and misconfigured versions of common *nix services (Apache, Tomcat, MySQL, etc.). It's primarily intended as a teaching tool for vulnerability exploitation and analysis, but sometime this week a honeypot module will be added on that logs malicious traffic to a remote server (while hiding the fact) and can dynamically escalate privileges as much as the user desires when malicious activity is detected.

Gavin

With respect to setting up the honeypot, it should be fairly straightforward to setup the firewalling and dmz. Run it in a VM, run your packet sniffer on a separate machine preferably, or on the host OS. If using linux, log syslog data to a remote machine, or if you want to go totally nuts, log it to a line printer for the ultimate in paper wastage and reliable records.

Depending on the size of your Internet connection, you'll pick up a large amount of data. It can be difficult to make sense of gigs of network traffic. Something like Snort or Bro might be handy tools to help in the analysis/statistic generation.

I'd also be interested in any other analysis tools/ideas people have

JimmyCrackCorn

I ran it for a month about a year or so ago.

Youll be surprised how much malware makes an attempt on public IP address.

a good experiment as i wanted to reverse engineere a little (had a little too much time on my hands)

found it easy to get running.

hmmm

I would avoid the honeypot & set up a Snort system instead. Obviously a network tap would be preferred but there is some good info out there as to how to make the system as invisible as possible.