______________________________________________________________________________

HONEYNET/HONEYPOT PROJECT
______________________________________________________________________________

Meeting: 4/26/06 8:00pm, ITL
Attendees: Leslie, Todd, Patty, Creigh
Meeting Duration: Approx. 2 hours

______________________________________________________________________________

Accomplishments:
______________________________________________________________________________

1) Installed Tripwire in the Honeypot VM (Windows).

   Download Tripwire for Servers 4.6.

   Extract the zip file.

   Double click Setup. Next...

   "Do not send Tripwire reports by e-mail."

   Uncheck "Check here to enable SNMP".

   Run Tripwire for Servers alone, without Tripwire Manager.

   Next... Finish

2) Installed Snort in the Linux VM.

   In a Debian-based system:

   apt-get install snort snort-doc oinkmaster

   Configuring Snort:

   Address range to monitor:

   128.153.0.0/16

   Prep the Snort rules directory:

   sudo chown -R snort:snort /etc/snort/rules

   Edit the Oinkmaster config file:

   sudo gedit /etc/oinkmaster.conf

   Register for an account at snort.org to get additional Snort rules.

   At the bottom of Account Settings, click "Get Code" under Oinkmaster
   Download Codes.

   Add your URL to the oinkmaster.conf file.

   Generates the list of rules that you will ignore:

   sudo -s

   /usr/share/oinkmaster/makesidex.pl /etc/snort/rules/ > /etc/autodisable.conf

   Update the active rules: (run in a bash script as root)

   chown snort:snort autodisable.conf oinkmaster.conf

   /usr/sbin/oinkmaster -C /etc/oinkmaster.conf -C /etc/autodisable.conf -o /etc/snort/rules/

   chown -R snort:snort /etc/snort/rules/

______________________________________________________________________________

TO-DO List:
______________________________________________________________________________

1) Leslie continue to report on configuration of Tripwire, get it configured
   on the honeypot.
   
   - Establish baseline, known-good state
   
   - Granularity of checks, be able to changes that we make, OK changes

2) Creigh to get Snort installed on the honeypot and establish a ruleset that
   we will use.

3) Todd will continue to report on Regmon. Look for alternatives.

4) Patty will continue to report on attacks for Windows.

- Set script to run every time our monitoring VM is booted.
  Don't boot the Honeypot VM unless the monitoring VM has been booted first.
  (So the download from the Snort site will not be detected with a sniffer).

***** Patty and Todd will create a diagram of VMware virtual networks. *****

***** Need updated HTML and documents from the rest of the team members,
      and upload them to the project directory when they are finished. *****