Advertisement
Help Keep Boards Alive. Support us by going ad free today. See here: https://subscriptions.boards.ie/.
If we do not hit our goal we will be forced to close the site.

Current status: https://keepboardsalive.com/

Annual subs are best for most impact. If you are still undecided on going Ad Free - you can also donate using the Paypal Donate option. All contribution helps. Thank you.
https://www.boards.ie/group/1878-subscribers-forum

Private Group for paid up members of Boards.ie. Join the club.

Analysing malicious traffic

  • 19-07-2010 12:21AM
    #1
    wolfric
    Registered Users, Registered Users 2 Posts: 1,190 ✭✭✭


    Router picks up quite the collection of port scans and dos attempts etc. I'm interested in logging it and generating statistics. I was thinking of forwarding all traffic that isn't wanted to a dmz server with a honeypot or just general statistics running. Obviously I want to make especially sure if I set this up that it isn't going to become vulnerable. Wouldn't it be the icon of shame if I actually left something unpatched or setup the firewall wrong and ended up letting people in.

    http://nepenthes.carnivore.it/ Here's something that came up at hope this year. I was thinking setting up something similar. It emulates a vulnerable server and collects data on attacks.

    Anyone have any alternatives as well as advice and experience on the matter?


Comments

  • #2
    rfrederick
    Registered Users, Registered Users 2 Posts: 85 ✭✭rfrederick


    There are of couple of tools I can think of, though I haven't actually played with them yet. First is honeyd from the Honeynet Project (http://www.honeynet.org/project). honeyd has rather low interactivity with malicious traffic that it captures. The Honeynet Project also offers a number of highly interactive honeypot offerings as well, such as Honeywall. Another is Damn Vulnerable Linux (http://damnvulnerablelinux.org), a live CD Slackware-based distro that offers vulnerable and misconfigured versions of common *nix services (Apache, Tomcat, MySQL, etc.). It's primarily intended as a teaching tool for vulnerability exploitation and analysis, but sometime this week a honeypot module will be added on that logs malicious traffic to a remote server (while hiding the fact) and can dynamically escalate privileges as much as the user desires when malicious activity is detected.


  • #3
    Gavin
    Registered Users, Registered Users 2 Posts: 4,660 ✭✭✭Gavin


    With respect to setting up the honeypot, it should be fairly straightforward to setup the firewalling and dmz. Run it in a VM, run your packet sniffer on a separate machine preferably, or on the host OS. If using linux, log syslog data to a remote machine, or if you want to go totally nuts, log it to a line printer for the ultimate in paper wastage and reliable records.

    Depending on the size of your Internet connection, you'll pick up a large amount of data. It can be difficult to make sense of gigs of network traffic. Something like Snort or Bro might be handy tools to help in the analysis/statistic generation.

    I'd also be interested in any other analysis tools/ideas people have


  • #4
    JimmyCrackCorn
    Registered Users, Registered Users 2 Posts: 1,689 ✭✭✭JimmyCrackCorn


    I ran it for a month about a year or so ago.

    Youll be surprised how much malware makes an attempt on public IP address.

    a good experiment as i wanted to reverse engineere a little (had a little too much time on my hands)

    found it easy to get running.


  • #5
    hmmm
    Registered Users, Registered Users 2 Posts: 11,202 ✭✭✭✭hmmm


    I would avoid the honeypot & set up a Snort system instead. Obviously a network tap would be preferred but there is some good info out there as to how to make the system as invisible as possible.


Advertisement