< Sunshine on a stormy day | HIHAT (High Interaction Honeypot Analysis Toolkit) - Update >

Virtual Honeypots

virtual-honeypots
Niels Provos and I have written a book on "Virtual Honeypots: From Botnet Tracking to Intrusion Detection" which was released a couple of days ago. The book deals with high- and low-interaction honeypots and focuses on Honeyd, malware collection, client-side honeypots, botnet tracking, and many more topics. You can order it now in your favorite bookstore, looking forward to your comments :-)

Table of Contents

Preface xiii
Acknowledgments xxi
About the Authors xxiii

Chapter 1 Honeypot and Networking Background 1
1.1 Brief TCP/IP Introduction 1
1.2 Honeypot Background 7
1.3 Tools of the Trade 13

Chapter 2 High-Interaction Honeypots 19
2.1 Advantages and Disadvantages 20
2.2 VMware 22
2.3 User-Mode Linux 41
2.4 Argos 52
2.5 Safeguarding Your Honeypots 62
2.6 Summary 69

Chapter 3 Low-Interaction Honeypots 71
3.1 Advantages and Disadvantages 72
3.2 Deception Toolkit 73
3.3 LaBrea 74
3.4 Tiny Honeypot 81
3.5 GHH-Google Hack Honeypot 87
3.6 PHP.HoP-A Web-Based Deception Framework 94
3.7 Securing Your Low-Interaction Honeypots 98
3.8 Summary 103

Chapter 4 Honeyd-The Basics 105
4.1 Overview 106
4.2 Design Overview 109
4.3 Receiving Network Data 112
4.4 Runtime Flags 114
4.5 Configuration 115
4.6 Experiments with Honeyd 125
4.7 Services 129
4.8 Logging 131
4.9 Summary 134

Chapter 5 Honeyd-Advanced Topics 135
5.1 Advanced Configuration 136
5.2 Emulating Services 139
5.3 Subsystems 142
5.4 Internal Python Services 146
5.5 Dynamic Templates 148
5.6 Routing Topology 150
5.7 Honeydstats 154
5.8 Honeydctl 156
5.9 Honeycomb 158
5.10 Performance 160
5.11 Summary 161

Chapter 6 Collecting Malware with Honeypots 163
6.1 A Primer on Malicious Software 164
6.2 Nepenthes-A Honeypot Solution to Collect Malware 165
6.3 Honeytrap 197
6.4 Other Honeypot Solutions for Learning About Malware 204
6.5 Summary 207

Chapter 7 Hybrid Systems 209
7.1 Collapsar 211
7.2 Potemkin 214
7.3 RolePlayer 220
7.4 Research Summary 224
7.5 Building Your Own Hybrid Honeypot System 224
7.6 Summary 230

Chapter 8 Client Honeypots 231
8.1 Learning More About Client-Side Threats 232
8.2 Low-Interaction Client Honeypots 241
8.3 High-Interaction Client Honeypots 253
8.4 Other Approaches 263
8.5 Summary 272

Chapter 9 Detecting Honeypots 273
9.1 Detecting Low-Interaction Honeypots 274
9.2 Detecting High-Interaction Honeypots 280
9.3 Detecting Rootkits 302
9.4 Summary 305

Chapter 10 Case Studies 307
10.1 Blast-o-Mat: Using Nepenthes to Detect Infected Clients 308
10.2 Search Worms 327
10.3 Red Hat 8.0 Compromise 332
10.4 Windows 2000 Compromise 343
10.5 SUSE 9.1 Compromise 351
10.6 Summary 357

Chapter 11 Tracking Botnets 359
11.1 Bot and Botnet 101 360
11.2 Tracking Botnets 373
11.3 Case Studies 376
11.4 Defending Against Bots 387
11.5 Summary 390

Chapter 12 Analyzing Malware with CWSandbox 391
12.1 CWSandbox Overview 392
12.2 Behavior-Based Malware Analysis 394
12.3 CWSandbox-System Description 401
12.4 Results 405
12.5 Summary 413

Bibliography 415
Index 423
This entry was posted by Thorsten Holz on Tuesday, July 31. 2007 at 02:41. and is filed under administrativa, virtual-honeypots. You can leave a response, or trackback from your own blog. All new comments are subject to moderation before being displayed.

Trackbacks

Trackback specific URI for this entry

    No Trackbacks

Comments

Display comments as (Linear | Threaded)

  1. dre says:
    #1 2007-07-31 19:00 (Reply)

    The first thing I thought after reading it was, "How did you write so much on just Honeypots?". All the techniques and tools were so highly relevant to today's technology.

    One could easily start a company or two just by reading this book and implementing the ideas. There seems to be a ton more research that can be put into Honeypots.

    I found the section on "Argos" to start the book off well - because it completely blew my mind away. Then, the section on LaBrea was just so accurate and complete - you would think that there would have been something written on this subject/tool before. The book read like a bunch of "first posts" and "original ideas", while at the same time citing all the resources it used for research.

    I wasn't even aware of Hybrid Systems before reading this book. The bibliography consists of enough reading material to keep me busy for quite some time - and a lot of it is recent research. You guys really know your stuff!

    Of things you left out - well there was only one mention of the word, "HoneyTokens" in your book, and it was about how SiteAdvisor uses a honeytoken-like system to capture spam. The HoneyClients section left a lot to be desired, but it was about as much complete as the research is at today (which obviously needs more work). The book was also missing some advanced network concepts like Blackholes, Sinks, and Team Cymru related work. Finally, it was missing WASC Distributed Open Proxy Honeypots, and almost anything having to do with web applications, or even web application backdoors (although the PHP.Hop stuff was partly interesting, as was the SpyBye section).

  2. ich says:
    #2 2007-07-31 22:04 (Reply)

    Gibt es das Buch schon irgendwo hier zu kaufen? Amazon.de hat es erst Ende August... bei buch.de steht gar kein Termin.

  3. Thorsten Holz says:
    #2.1 2007-07-31 22:41 (Reply)

    The book should be available in Germany soon, AFAIK in the next few days. You can also order it at Amazon.com, they have it available in stock.

  4. John Moore says:
    #2.1.1 2007-08-02 08:16 (Reply)

    Amazon.com shipped my copy on 7/31. I ordered it the previous week. I was surprised that you don't have the LAMP server honeypot that you commented about a few months ago, but likely the book was written and sent to the publisher by then. I'm looking forward to reading your book. What's going on with CWSandbox btw? I haven't received any emails of submittals since last April. Both systems are online as they respond to ICMP queries, but the rayman server isn't sending CWSandbox analyses any more. Is this due to your lab's move, or is the service discontinued? Development of nepenthes seems to have slowed or stopped as well.

  5. Markus Kötter says:
    #2.1.1.1 2007-08-06 16:12 (Reply)

    From what I can say, nepenthes development has neither slowed down nor stopped yet, taking into account the developers have to reinvent&implement existing wheels to offer technology which already exists in some research projects without any payment and/or funding, I'd say we do a pretty good job.

    MfG
    Markus Kötter

  6. John Moore says:
    #2.1.1.1.1 2007-08-07 04:37 (Reply)

    Dear Markus,

    Thank you for your response. My comment was not a dig or anything of the sort. From glancing at the main page on a weekly basis or so, progress seems slow. I'm glad that the reality is different. Nepenthes is very useful and it does an excellent job. There's nothing available that I know of that competes with it. Please keep up the good work. Your efforts are appreciated greatly.

    Sincerely,

    John

  7. Markus Kötter says:
    #2.1.1.1.1.1 2007-08-07 17:21 (Reply)

    Drop me a line via mail and I'll send you what we are working on atm
    http://sourceforge.net/mailarchive/forum.php?thread_name=60d7a5220707151802nf052beaye62b94b6490598d7%40mail.gmail.com&forum_name=nepenthes-devel
    as the sourceforge mailinglist does not really allow downloading attachments.

    MfG
    Markus

  8. scriptware says:
    #3 2007-09-21 17:19 (Reply)

    hope to read it in german....






    --------------------------
    gotroot.totalh.com

  9. liruiguang says:
    #4 2007-10-18 14:16 (Reply)

    I hope to read it in chinese.


Add Comment


Enclosing asterisks marks text as bold (*word*), underscore are made via _word_.
E-Mail addresses will not be displayed and will only be used for E-Mail notifications

To prevent automated Bots from commentspamming, please enter the string you see in the image below in the appropriate input box. Your comment will only be submitted if the strings match. Please ensure that your browser supports and accepts cookies, or your comment cannot be verified correctly.
CAPTCHA
 
Submitted comments will be subject to moderation before being displayed.