Post Fri Dec 01, 2006 5:24 pm

New and Improved Honeynet Tools

Here's a good post from the Internet Storm Center:

It's time to update your Honeynet technologies toolbelt!

While the Storm Center handlers make an effort in the timely reporting and dissemination of information regarding malware and distributed threats as they occur to keep our readers in tune with the beat of things, we can't *always* be at the cutting edge.  If you have the capability of deploying new tools and infrastructure you might consider extending your efforts to grow your organizations insight and visibility into the nefarious workings of the net.  Provided you choose to do so, or already have such efforts underway I suggest sharing with us any significant findings!

While this year has personally seemed a bit slow in the tools development and release arena, there has been a considerable flurry of activity in new tools and update releases in the publicly available and commonly used Honeynet tool suites.  I'm suddenly having trouble keeping up my own infrastructure with building and deploying these releases.  Here are a few of the recent significant updates.

Honeynet Project - HoneySnap tool
- The python based honeysnap client is making a fresh debut at v1.0.1 and offers some reasonably nice post-processing and text based reporting on packet capture.  The Honeysnap tool can be used standalone outside of a Honeynet environment or blends nicely with any pre-existing Honeywall deployments.  I 'like' it.

Nepenthes update release from the MWCollect project
- A favorite is the Nepenthes malware collector that grew up with mwcollect, and after combined efforts this year we've been bestowed with the recent point release of v.20.

Honeynet Project - Upcoming Honeywall improvements
- While the Honeywall has not released updates lately, there has been some significant development effort exerted this year within the project.  I'm personally hoping the next generation makes a public release very soon.

Mitre Honeyclient project
- There has not been any fanfare lately but there has been some motion in the Mitre Honeyclient project.  Honeyclient code has been made available for download and a fair amount of documentation is published in the project wiki.
- Of note, but with no insight into why it may have occurred, the Mitre honeyclient project has just recently migrated from away from the mitre.org domain out to new hosting. 
- You should really consider deploying this type of technology if you'd like to 'literally' drive your browser crazy.  Go find some some new badness and make sure to report back on your findings.

And then there's your flow data

The DShield project is always interested in obtaining aggregate netflow data based on unwanted internet traffic received at your home/business internet connection end point.  This helps not only us, but provides you with a reporting interface into internet traffic trends that occassionally identifies new or otherwise targetted attacks. 

There is a wealth of documentation demonstrating how you can participate in the Dshield project, including the client tools available to start reporting this data back... and heck, if you're not doing anything with it, DShield wants it!

William Salusky 
"A Human Honeyclient"


For original:
http://isc.sans.org/diary.php?storyid=1894

Don
CISSP, MCSE, CSTA, Security+ SME