|
First Considerations I suppose his layout was a honeywall (just iptables with data-limit, possibly no sebek) and one or more machines behind it running manhunt or honeyd or VMWare.
|
The honeynet seems made of 24 hosts.
|
Maybe a box (the 11.11.11.67) with honeyd, and maybe VmWare too, or with some other kind of emulated systems. |
Why ? 1st, for he simply has TOO MANY machines in that 11.11.11.! I can't believe they are all real;
|
2nd, read also the chat logs at SrcDstPort137 in this regard. (ARPD) |
How Data Limit Works (22:09:10) Brennan: i just did a cat | grep "attempt"
|
(22:09:23) Brennan: only 45
|
(22:09:40) Brennan: but the rule is definitely "Drop (..) after 13 attempts"
|
(22:10:08) DANIELE: outbound you mean ? as data limit ? can weel be
|
(22:10:10) Brennan: oh, no
|
(22:10:18) Brennan: there are Drop after 20
|
(22:10:25) Brennan: TCP is after 13 and UDP is 20
|
(22:11:11) Brennan: that's all .. there are only 45 log entries for "attempt"
|
(22:11:20) Brennan: and there are 38 for "after 13"
|
(22:11:25) Brennan: and 7 for "after 20"
|
(22:11:47) Brennan: we should pull out all his custom tags
|
(22:11:56) Brennan: catalog them
|
(22:12:15) Brennan: so we have a sort of version of what we think his iptables file looks
|
(22:12:26) DANIELE: can be done. is a good idea.
|
(22:12:41) Brennan: and note when changes are made to it, as we have found they changed for INBLOCK
|
Note: this has also been addressed by BESA in creating the modified logsnorter.
|
(23:57:34) Dani3l3: i think there is a simple router in front of it
|
(23:57:50) Dani3l3: maybe in the 22.22.22 net (that of the dns ?) on the other side of the router ?
|
(23:57:58) Dani3l3: and then....
|
(23:58:05) Dani3l3: how can we figure out the topology ?
|
(23:58:11) Dani3l3: "exits" on the internet ?
|
(23:58:16) Dani3l3: or maybe they are public addresses
|
(23:58:34) Dani3l3: but they have been changed into 11.11.11 and 22.22.22 to protect anonimity of the place
|
(23:58:39) Dani3l3: and they were globally routable
|
(23:58:42) Brennan: could be
|
(23:58:57) Brennan: do we think this is web traffic then ? from 11.11.11.x network |
(23:59:20) Brennan: then there should be DNS traces on it to those servers also
|
(00:00:16) Dani3l3: FROM 22.22.22. ?
|
(00:00:18) Dani3l3: no is the provider
|
(00:00:28) Dani3l3: then the WERE all globally routable addresses
|
(00:00:41) Dani3l3: just masked now, sanitized
|
There are entries in the logs from source 127.0.0.1 |
They are interesting (thus mentioned here) since they made us think of the layout of the network, firewall configuration (anti-spoofing protection or not).
|
BESA: I think that it's important to specify the honeywall interfaces.
|
| • | ETH0 is the external interface; |
|
| • | ETH1 is the internal one. |
|
Honey Pots (To Be Reviewed)
Dani@NL: These machines send TCP Resets packets outbound, so they are 'alive'.
|
Moreover, we can check WHAT THEY DENY - that shows that a certain service is not running!
|
$ cat honeynet.log |grep 'OUTG CON' |grep 'RST' >OutgRST.log
|
$ ruby parse.rb OutgRST.log >OutgRST.txt |
SRC PORT DATA Totals: (The reset was sent FROM this port, so this service is NOT running - right ?)
|
Which service on which honeypot is NOT running ?
|
As we observ them, these machines are instead sending SYN packets outside. SO they INITIATE some sort of connection to the outside world. We have identified a few as legitimate traffic (identd for example - DstPort113). The outhers are often compromises - Question7 |
DST PORT DATA: (The port that the honeypot tries to contact on the remote computer)
|
HARDWARE IDENTIFIED BY MAC ADDRESS
|
The only MAC address found on the log is this:
|
we can discover that there's one DELL NIC on the honeynet:
|
| | | | 00B0D0 Dell Computer Corp (was: Computer Products International)
|
They are presented in groups (60's, 70's, 80's host IDs and so on):
|
| • | 11.11.11.67 - Windows Box - we also spot the blocking mechanism of the honeywall talking of this host somewhere in the text (12381 packets) |
|
| • | 11.11.11.75 - Webserver (30130 packets Most attacked machine) |
|
| • | 11.11.11.87 (10994 packets) |
|
| • | 11.11.11.90 - Webserver (?) Need to CHECK this one properly (11359 packets) |
|
| • | 11.11.11.100 (11417 packets) |
|
| • | 11.11.11.105 (10915 packets) |
|
| • | 11.11.11.110 (10839 packets) |
|
| • | 11.11.11.115 (10842 packets) |
|
Is possible that the honeypots on a same group/range was a different machine with multiple IPs, running virtualized, most of them. (VMWare and/or honeyd at least of commercial honeypot products such as Symantec Decoy Server)
|
DNS Servers:
How Should It Look Like
External Reference
Chuvakin in this case runs a modified version of the script, but still we can find some common patterns.
|
Also in the following document we have a description of a honeynet by Chuvakin (it might of course be changed since then, but it is well worth a good read (!):
|
|
