______________________________________________________________________________

HONEYNET/HONEYPOT PROJECT
______________________________________________________________________________

Meeting: 3/23/06 8:00pm, ITL
Attendees: Leslie, Todd, Patty, Creigh
Meeting Duration: Approx. 1.5 hours

______________________________________________________________________________

Accomplishments:
______________________________________________________________________________

1) Patty created and updated the honeynet/honeypot project website:

   http://www.clarkson.edu/projects/itl/projects/honey/

2) We discussed the possibility of making a single interface that incorporates 
   all of the functionality of the monitoring tools that we will use in the 
   honeypot.

3) Todd, Creigh, and Leslie investigated Snort and how it works in more detail.

   - Ran commands as documented in Dalia's thesis. 
   - Couldn't get an alarm to go off with Snort. 
   - Downloaded the rules files from:
 
   http://www.snort.org/rules/

   snort -d -h 128.153.144.0/24 -l c:\snort\log -c c:\snort\etc\snort.conf

   - Looked at some related tools: 

   http://www.winsnort.com/ 

   http://oinkmaster.sourceforge.net/ 

   http://www.codecraft-canada.com/Barnyard/ (Windows port of Barnyard) 

______________________________________________________________________________

TO-DO List:
______________________________________________________________________________

1) Creigh will look into graphical tools for Snort.

2) Leslie will look into Tripwire.

3) Todd will do nothing, because it's his birthday on Sunday. :)

4) Patty will continue to update the webpage and collect links for now.

Also:

- Tried to figure out what options to pass to Snort and what is default, still 
  need to investigate this.

- Couldn't get next part of the thesis "testing Snort", since we didn't have a 
  telnet server on Windows.

- Couldn't get any rules to be triggered yet, since we don't know how it all 
  fits together yet.

______________________________________________________________________________

References:
______________________________________________________________________________

Excerpted from the thesis: 

- The Windows version of Snort can be found at:

  http://www.snort.org/dl/binaries/win32/

- Snort can be used as a packet logger, which logs all incoming packets into 
  the log directory. The command to do so is: 

  snort -dev -l d:\snort\log 

- To use Snort in Network Intrusion Detection Mode, meaning to log only 
  packets that fit a certain rule, use the command: 

  snort -d -h 192.168.1.0/24 -l d:\snort\log -c d:\snort\etc\snort.conf