November 19, 2007 at 3:17 am #1802AnonymousParticipant
Virtual Honeypots: From Botnet Tracking to Intrusion Detection
by Niels Provos(Author), Thorsten Holz (Author)
Honeypots made easy
Books that put institutional knowledge, or knowledge that people in the industry know but its not written down anywhere, are few and far between. This book succeeds in taking that institutional knowledge and putting it into a readable, functional, and well-organized format.
Before I get into the chapter play by play stuff, let me just say that Chapter 8, Client Honeypots, is worth the price of the book. Client-side attacks are were everything is moving to and the days of a remote OS 0day or quickly fading away. One of the hardest things to automate and teach is client-side attacks because it used to involve user interaction (someone actually clicking on the email, link, .exe), but with the client honeypots they discuss in the book you can automate clicking on emails, clicking on links, spidering websites, and running the executables you download from the sites. You can also monitor your honeypot for changes after running the executable, good stuff!
Most of the other reviewers said you can skip the introductory material, and you could, but its better than the usual “beginning of the book/background” material. The book starts with honeypot/honeynet introduction. Chapter 2 covers high interaction honeypots to include a good chunk of information on VMware and your other “virtual” options including User Mode Linux and Argos. Chapter 3 covers Low interaction honeypots like LaBrea, GHH, and PHP.HoP for your web based low interaction honeypots. Chapters 4 & 5 are a healthy dose of honeyd. Chapter 6 is collecting malware with Nepenthes and Honeytrap. Chapter 7 covers Hybrid systems. Chapter 8 is, as discussed, Client Honeypots. Chapter 9 is on detecting low and high interaction honeypots. Chapter 10 contains Case Studies, Chapter 11 is Tracking Botnets, and Chapter 12 closes out the book with analyzing malware with CWSandbox.
My only gripes about the book were that they failed to talk about persistent versus non-persistent modes in VMware and there as no discussion of identifying VMware and Sebek in Windows. Configuring your virtual machine how you like it, then setting it to non-persistent is a great way to let users or attackers do whatever they want to the OS. The changes survive an OS reboot but if you reboot the virtual machine it goes back to the original state, very handy. The other gripe was a shortage of material on detection of Sebek on Windows hosts, its covered in-depth for Linux though. Detecting VMware and some other honeypot type tools like Sebek in Windows is fairly easy. Simply querying for their respective registry keys usually does the job 🙂
Overall, a good book. Its useful, up-to-date, and relevant to security today.
November 19, 2007 at 8:41 pm #14619oleDBParticipant
Good review. I was on the fence about getting this book, as we don’t really use honeypots at my work. However based on your recommendation I will read it anyway, just to learn more about it. Is the sandbox section any good? Thats my primary interest.
November 22, 2007 at 4:23 pm #14620KevParticipant
Very well done review and thanks for making the effort.
January 9, 2016 at 9:01 pm #14621KamillaParticipant
This is a very good post which I really enjoy reading. It is not every day that I have the possibility to see something like this.
- You must be logged in to reply to this topic.