______________________________________________________________________________ HONEYNET/HONEYPOT PROJECT ______________________________________________________________________________ Meeting: 4/25/06 8:00pm, ITL Attendees: Leslie, Todd, Patty, Creigh Meeting Duration: Approx. 2 hours ______________________________________________________________________________ Accomplishments: ______________________________________________________________________________ 1) Looked at the Tripwire for Servers (TFS) User Guide that came with the download. How to configure Tripwire: Initialize database file, which contains information of the computer's files' attributes: tripwire --init To do an integrity check of the entire system: tripwire --check Create a policy file: twadmin --create-polfile policy_file.txt Tripwire comes with a default policy file (tw.pol, twpol.txt). Tune your policy file, test it to see if it has the rules that we need: tripwire --check --report-file temp_directory/report_tune.twr Tripwire reports are in .twr format. To print the policy file in human-readable text format, use the command: twadmin --print-polfile > policy_tune.txt To make the report in HTML format use: twprint --print-report --report-file ..\report\report_name.twr -F html -o report.html The report can be in "classic" (text), "html" or "xml" formats. Tripwire Manager is a graphical (GUI) software tool that allows you to manage Tripwire for servers across the network. It is a separate software package. 2) Snort rules (see HTML page off of website) - Subscription-based (expensive to buy). - Registration-based (register with contact information). Get majority of the rules, but slightly out-of-date. *** RECOMMENDED *** - Unregistered (basic, out-of-date rules). - Community (forum where people post rules). - Bleeding-Edge Snort rules (People make rules quickly when an attack is known, before the official Snort page has it). Organized into rulesets. There is also a Bleeding Snort Windows Ruleset Manager. - We do not want to write our own Snort rules. - Oinkmaster: to keep Snort rules current. Checks the repository to get new ruleset. Remembers ones that you commented out. Allows official and bleeding, etc. Good for honeyfarms, because you configure one ruleset, and it will push the rulesets to all of your other IDS nodes. - Snort IDS Policy Manager for Windows 3) Downloaded and ran Regmon, tried out all of the options. Still looking into it...not happy with it yet. Seems to require a lot of user interaction. 4) Trying to find tools to emulate an attack...hard to find. More on monitoring and detecting attacks instead of making attacks (for testing). Found some noise generators (stick, snot) and TCP replay that cannot be detected by Snort. These programs are not easy to find. ______________________________________________________________________________ TO-DO List: ______________________________________________________________________________ 1) Leslie continue to report on configuration of Tripwire, get it configured on the honeypot. - Establish baseline, known-good state - Granularity of checks, be able to changes that we make, OK changes 2) Creigh to get Snort installed on the honeypot and establish a ruleset that we will use. 3) Todd will continue to report on Regmon. Look for alternatives. 4) Patty will continue to report on attacks for Windows. ***** Patty and Todd will create a diagram of VMware virtual networks. ***** ______________________________________________________________________________ Challenges ______________________________________________________________________________ - Malware corrupt/delete: - Tripwire (binary) - Database - Policy file - Use read-only medium ______________________________________________________________________________ Future Work ______________________________________________________________________________ - XML Parser