______________________________________________________________________________ HONEYNET/HONEYPOT PROJECT ______________________________________________________________________________ Meeting: 4/30/06 4:00pm, ITL Attendees: Leslie, Todd, Patty, Creigh Meeting Duration: Approx. 6.5 hours ______________________________________________________________________________ Accomplishments: ______________________________________________________________________________ 1) Told Regmon to log starting at the next boot. Regmon -> Options -> LogBoot It told us where the log file will be stored. C:\WINDOWS\regmon.log 2) Set up our honeypot VM architecture. - Used a crossover cable to connect the hub to the Internet. 3) Tuned the Snort rules. 4) Ran the Oinkmaster script: sudo oinkmaster-update.sh 5) Removed the existing Snort rules in the directory. 6) In oinkmaster.conf, commented out the existing URL and add: url=http://www.bleedingsnort.com/bleeding.rules.tar.gz 7) In snort.conf, commented out the existing rules in "Customize Rules" section and added the bleeding rules to the list. 8) Restarted Snort. 9) Turned off the firewall from Windows. 10) Did an Nmap port scan again: Snort detected it as two false positives (it thought it was a Trojan and identified it as a MySQL attack). Nmap was trying to do an identification scan, which made it look like those other attacks. Saw it was coming from Creigh's IP address which was attacking it, so we knew it was really the Nmap scan. Tripwire didn't detect it, since the scan was just over the network and didn't modify any files. 11) Port scanned the honeypot and did a version probe so that we could find out what services were running in order to find an attack. 12) Retuned Tripwire to accept our own changes that we made to the system (from turning off the firewall in Windows). 13) Installed the Alexa Toolbar from http://download.alexa.com/, which is thought to be spyware. 14) We were watching the log files and saw that Snort detected the Alexa Toolbar as a Trojan. tail -f /var/log/snort/alert 15) Ran Tripwire to see the changes made by Alexa. A couple files, a directory, and about 200 registry files were new/modified. 16) Then, we uninstalled Alexa and restarted the VM, as the uninstall directions specified. 17) We then saw the Alexa folder was still there, but was empty. 18) Then, we deleted the folder manually and ran Tripwire again. The files were gone and the folder was gone. But, the registry keys were still there. 19) Then, we restored back to a known-good image.