______________________________________________________________________________ HONEYNET/HONEYPOT PROJECT ______________________________________________________________________________ Meeting: 4/6/06 7:00pm, ITL Attendees: Leslie, Todd, Patty, Cyrus, Creigh Meeting Duration: Approx. 2 hours ______________________________________________________________________________ Accomplishments: ______________________________________________________________________________ 1) Installed VMware Server on a new COSI computer and copied over the honeypot image. 2) While it was installing and copying, we read a little more in the thesis document. 3) Tried to determine whether we could monitor the network of the guest from the base with Ethereal. By default, the virtual network is a switched network (so the network traffic of the guest is not being broadcasted to the base). So, we decided to setup a physical hub to do the network tracing. 4) Successfully traced from the base network traffic that was destined for the guest (which is the honeypot). ______________________________________________________________________________ TO-DO List: ______________________________________________________________________________ 1) Install a Linux guest virtual machine on the base to act as a potential monitor or logger. 2) Read more on virtual networks supported within VMware. ______________________________________________________________________________ References: ______________________________________________________________________________ We were looking into the VMware network options today during our honey meeting and so I have some references. For more information on the virtual networks available in VMware: http://www.cygem.com/articles/vm-net101.pdf According to this document there is an virtual network called VMnet0 which by default is used for the bridged network. [Note the bridged network is so VM guests can have an external address, as if they are really on the external Internet] Then, VMnet1 is used for Host-Only network. And VMnet8 is a host only network that uses the host as a NAT. I also found a vmnet-sniffer which can capture on /dev/vmnet0 for example to get all of the bridge traffic. I can't find any good documentation on it yet, but I think it has something to do with tcpdump. Another important thing that I have noticed by looking through the documentation on VMware Server Beta 2 is that the VMware for Windows and VMware for Linux are not created equal. The options max networks, network hosts, etc., and how to configure the custom options is very different from Linux to Windows. Two really good docs that I found are: http://www.vmware.com/pdf/server_admin_manual.pdf http://www.vmware.com/pdf/server_vm_manual.pdf We can discuss this more at the next ITL meeting if there is general interest in the internals of the VMware virtual networks. Also, there will likely be some more details in future honey meetings. **************************************************************************** One important caveat that Jason brings up / reminds me of is that these configurations are completely customizable and that the VMnet's that I mentioned were just the defaults. Have fun with your virtual networks, but not too much fun. ****************************************************************************