SotM #30

Write-up by Anton Chuvakin, netForensics Honeynet
version 0.2

Contents

Background:

This section gives some background on what was really going on. Considering that we have access to the actual honeynet system as well as full packet captures, and not just the firewall logs, this write-up should be read as the correct answer and possibly not like the best approach to the given task.
  1. Here are a few words on the honeynet network architecture.
  2. Honeynet machines runs some of the following services: HTTP, HTTPS, FTP, SMB and others.
  3. IPtables on a bridge is set to block outbound connections after a pre-set limit and allow all inbound connections
  4. On Feb 8, the honeynet was compromised and destroyed by the attackers. Due to the high volume of outbound traffic that followed as a result of a compromise, the access to honeynet was automatically shutdown. Thus, the change in logs from regular INBOUND messages to INBLOCK on Feb 10 13:50:22
  5. Overall, honeynet logs contain several major traffic types:
  6. Tools used for our analysis include netForensics SIM, which handles all the data flowing from the honeypot from various sensors, such as bridge firewall and multiple IDS sensors.
Q/A:
Summary
  1. Q1
  2. Q2
  3. Q3
  4. Q4
  5. Q5
  6. Q6
  7. Q7
  8. Q8
  9. Q9
  10. Q10
Details
  1. What are the high-level trends in connectivity to/from the honeynet?
  2. What possible evidence of malware is there?
  3. Most of the honeynet noise is related to recon activity or various probes. Firewall logs are full of traces of such activity. Examples include:
  4. The honeynet data pool has a large set of scan traces
  5. Other noise
  6. Anomalies
  7. The honeypot was indeed compromised, as we hinted in the challenge description. The main clue is OUTBOUND FTP and HTTP connections (not ident TCP 113 or DNS UDP 53)
  8. If such logs are obtained from a production system, lots of different factors will contribute to threat prioritization. Among them are:
  9. Some honeypot IP addresses (still the same system!) were touched more than others. This largely remains a mystery. The only sensible explanation is that some sort of inheritance from previous IP owners is takinhg place. IDS alerts display a similar picture: a wildly different attack types and counts are thrown at different IP addresses in close range.
  10. Some data metrics are shown below

Conclusion:
This challenge proves that firewall logs are a great untapped source for information about intrusions. However, the ways to analyze the data need to be a bit more sophisticated than those used for IDS payload analysis due to high volume and low content of useful actionable information in firewall logs.


Anton Chuvakin
netForensics Honeynet
Honeynet Research Alliance
04/13/2004