Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Virtual Honeypots

samzenpus posted more than 5 years ago | from the read-all-about-it dept.

Security 50

rsiles writes "Honeynet solutions were seen just as a research technology a couple of years ago. It is not the case anymore. Due to the inherent constraints and limitations of the current and widely deployed intrusion detection solutions, like IDS/IPS and antivirus, it is time to extended our detection arsenal and capabilities with new tools: virtual honeypots. Do not get confused about the book title, specially about the "virtual" term. The main reason to mention virtual honeypots, although the book covers all kind of honeynet/honeypot technologies, is because during the last few years virtualization has been a key element in the deployment of honeynets. It has offered us a significant cost reduction, more flexibility, reusability and multiple benefits. The main drawback of this solution is the detection of virtual environments by some malware specimens." Read below for the rest of Raul's review.The detection of honeypots has always been one of the main concerns in the honeynet community, because if the attacker can identify them, they are useless. For this reason, one of the chapters is just focused on providing some light tips and tricks about what an adversary can really accomplish. In fact, we have not seen lots of real-world incidents where the attacker actively checks the existence of honeynet setups.

The first chapter is a very brief introduction to honeynet technologies and basic tools. You can jump through it if you are not new to this field. Then, the book covers the main two honeypot types: high and low interaction. The high interaction section provides details about the tools to virtualize your honeypots: VMware, UML, or more specific solutions, such as Argos. The low interaction section provides details about some the most relevant honeypot types to cover lots of detection scenarios: worms, traditional server attacks, Google Hacking, Web-based attacks, etc. It is a wide overview that will give you lot of ideas for new deployments.

The whole book has been cooked with a how-to mentality , and it explains in detail how to install and configure the different tools and software elements covered. Additionally, it provides guidelines, best practices, and analysis recommendations for each tool based on the authors experience. However, the how to portions take into account that most of the solutions are Linux-based, and the installation and setup process will vary based on the tool version and the Linux distribution you are using (library dependencies, etc). In any case, the step by step guides are very useful as a general setup reference.

From my perspective, the most valuable part of the book is chapters 4 to 6. The authors, Niels Provos and Throsten Holz, are the lead developers/architects for honeyd (chapter 4 and 5) and nephentes (chapter 6), respectively. These two are the most famous and advanced low-interaction server-based honeypot and malware honeypot. They know what they are talking about, and you cannot find a better reference out there for these two tools. The book is an excellent guide, covering the design principles and innovative deployment ideas, to all kinds of configuration options and possibilities, including limitations on real-world scenarios. Chapter 6 is complemented with other less popular malware-based honeypots (except for Honeytrap).

The book includes some extra material covering academic and research hybrid solutions still in their early stages, which can give you and idea of where these technologies are evolving to and the major challenges we are facing now. This pretty much theoretical content is well balanced with the case studies chapter, where real incidents involving different honeypot types are presented. These are always a fun read and a way of getting experience and learn how to deal with intrusions.

Finally, one of the main expansion areas we are involved today is the creation of new client-based honeypot technologies. This book section (highly recommended) does a great job introducing multiple high and low interaction honeyclients currently available, their benefits and drawbacks (chapter 7). This information is perfectly complemented by the last two chapters, focused on tracking botnets and analyzing malware with sandbox environments. Once a client is compromised, it typically becomes a member of a botnet, and for easy and quick categorization, we start by performing a malware analysis of the specimens. I recommend you to add all this knowledge to your incident handling and response capabilities.

Something I would have liked to see in the book is a section about a fully virtualized honeynet environment, showing how using VMware, you can build up a virtual Honeywall (just slightly mentioned on chapter 2) and different honeypots, creating a complete, cheap, mobile and multi-purpose virtual honeynet infrastructure. Also, we receive multiple questions related to this kind of setup in the Honeynet Project mailing lists, because all the previous whitepapers are obsoleted now. I've been deploying these type of solutions for fun and professionally during the last few years and I strongly recommend you to start using them. You won't be disappointed about how much you can learn of what is going on in your networks and systems, and this book is the best starting point.

If you have any relationship with the intrusion detection, incident handling and forensics, threat analysis, or SOC and CERT security side of things, definitely this book is for you. Go through it and improve your capabilities with easy to deploy virtual honeypot solutions. You just need a (not so new) computer, virtualization software, and some time.

I have been working with honeynets during the last 5 years. We founded the Spanish Honeynet Project on 2004, and almost at the same time we became part of The Honeynet Project and released the Scan of the Month 32. The main honeynet/pot book reference till last year was the book published by the Honeynet Project. As this is a rapidly evolving field, definitely it has been replaced by this book, written by two project members.

You can purchase Virtual Honeypots: From Botnet Tracking to Intrusion Detection from amazon.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.

cancel ×

50 comments

Sorry! There are no comments related to the filter you selected.

virtual? (-1, Offtopic)

Anonymous Coward | more than 5 years ago | (#24405655)

I like hairless honeypots, but I prefer the real thing.

Re:virtual? (0)

Quiet_Desperation (858215) | more than 5 years ago | (#24406411)

eros.com had loads of them

Get it? Loads? Ah ha ha ha! I crack me up! Comedy fuckin' gold right there!

Not new (-1, Redundant)

LanMan04 (790429) | more than 5 years ago | (#24405657)

We were doing this shit in grad school in 2003. Not new.

Re:Not new (0)

Anonymous Coward | more than 5 years ago | (#24405949)

My Erdos number [wikipedia.org] is 5.

Yeah? Well, my Erdos number is -1! That's right! I am the Anti-Erdos! Muahahaha...

Re:Not new (3, Funny)

nimbius (983462) | more than 5 years ago | (#24406475)

addison wesley? famed maker of cryptic highschool calculus books that had the apparent ability to off gass some sort of clay-like stench?

I remember them being so obscure that I affectionately scribbled the words "zyklon madness engine" into the front of my copy of AP calc. in high school.

**shudders**

Speaking of the stench (1)

Jabbrwokk (1015725) | more than 5 years ago | (#24406929)

I misread the summary and thought this article was about virtual honeybuckets. [honeybucket.com]

I'm a bit disappointed.

Re:Not new...to you (0)

Anonymous Coward | more than 5 years ago | (#24406533)

Proud of you. Very, very, very, proud of you.

Re:Not new (-1, Troll)

Anonymous Coward | more than 5 years ago | (#24406729)

apparently it didn't stop you from being an egotistical smacktard. but thanks for the heads up anyway. jerk.

Re:Not new (1)

Jansingal (1098809) | more than 5 years ago | (#24406805)

yeas, but the old threats are still used today.

Re:Not new (2, Insightful)

hesaigo999ca (786966) | more than 5 years ago | (#24406829)

And your book is titled....?
Seems you miss the point of this post....it is directed at those interested in getting started and wanting some info as to what tools to use, and what to expect for their time and effort.

Re:Not new (1)

LanMan04 (790429) | more than 5 years ago | (#24406955)

Ah, I got hung up on the "last few years" bit.

Re:Not new (1, Funny)

Anonymous Coward | more than 5 years ago | (#24407309)

In common usage, 2003 does fall within "last few years."

Admit it, you're one of those high-horse geeks that derides everything everyone else does because you firmly believe you are the ubergenius.

Re:Not new (0)

Anonymous Coward | more than 5 years ago | (#24408229)

In common usage, 2003 does fall within "last few years."

Admit it, you're one of those high-horse geeks that derides everything everyone else does because you firmly believe you are the ubergenius.

His post coupled with his "Erdos Number" boast is enough to confirm that ...

SLASHDOT SUX0RZ (-1, Troll)

Anonymous Coward | more than 5 years ago | (#24405681)

_0_
\''\
'=o='
.|!|
.| |
review: virtual goatse [goatse.cz]

Re:SLASHDOT SUX0RZ (0, Funny)

Anonymous Coward | more than 5 years ago | (#24406031)

Warning: don't click on the link. It's a picture of a guy stretching his butt. It's very gross and not appropriate!

Re:SLASHDOT SUX0RZ (1)

strelitsa (724743) | more than 5 years ago | (#24409369)

That particular bit of ASCII art has always looked to me like Snoopy standing on stilts while wearing a miner's lantern on his head. That's probably not the impression the troll intended to convey, but c'est la vie.

OMG (-1, Troll)

sexconker (1179573) | more than 5 years ago | (#24405817)

You mean I can set up a virtual machine or a group of virtual machines and give them IP addresses?

And I can leave them unpatched, and install services and software with known security holes to attract attention from people who are poking around my IPs?

WHAT A NOVEL IDEA.
I think I will write a book about it.

Re:OMG (1)

morgan_greywolf (835522) | more than 5 years ago | (#24406037)

Write a book on it? Hell, I applied for patent on it! Pay me!

Bad idea... (1)

PC and Sony Fanboy (1248258) | more than 5 years ago | (#24406073)

The problem with a honeypot ... is that the sysadmin can easily sell out the real info for the server and then simply say "Well, the honeypot attracted them" ...

O.o (2, Informative)

SatanicPuppy (611928) | more than 5 years ago | (#24407619)

I don't think that "Honeypot" means what you think it means. Having a honeypot on a "real" server would be like having a live chemical weapons training course in your house.

The whole point is study, and possibly early warning. I've got a "honeypot" (I'd call it a "canary") set up on my corporate DMZ which is made to look roughly like one of my second tier financial machines; it's only there to scream bloody murder if someone tries to log into it.

If someone does log into it, they'll know immediately it's a decoy, because the only thing running on it is a process which listens and responds on a few select ports to make it look like real stuff is running on the machine.

That's about the sum total usefulness of a honeypot for anyone who is interested in anything besides watching the methods to pwn machines evolve. It has nothing to do with exposing actual useful information to anyone.

your pot (0)

Anonymous Coward | more than 5 years ago | (#24409415)

Why don't you fill the thing up with good looking but totally made up data? Wouldn't that keep the badguys sticking around longer so you could do more research on them? Isn't one of the goals to be one of the whitehats and actually, you know, catch the bad guys? Even if you don't do it, someone else, perhaps official authority, might want to.

Re:O.o (1)

sexconker (1179573) | more than 5 years ago | (#24409425)

I canary is quite different.

It's a chunk of memory with a known value/checksum that you use as a shield against buffer overrun attacks.

Check the canary every once in a while or when touching certain pieces of data. If the canary is sick (has been tampered with by a program traipsing through trying to find offsets for attacks), bail out.

Re:O.o (0)

Anonymous Coward | about 6 years ago | (#24410895)

Yes in a programming sense that is a canary.

SatanicPuppy calling his decoy system a "canary" is roughly the same concept and more accurate than calling it a "honeypot" given the intended purpose of the decoy system.

From his post:

it's only there to scream bloody murder if someone tries to log into it.

If someone does log into it, they'll know immediately it's a decoy

Given that, I'd say that his decoy system is more of a canary than a honeypot.

Re:OMG (-1, Flamebait)

Anonymous Coward | more than 5 years ago | (#24406323)

Fucking moron. I bet you could fit everything you know about honeyd and nephentes or how to prevent malware from detecting the presence of a virtual environment on a square of toilet paper. Using a crayon. Asshole. (And no, I'm not the author, but have some respect.)

Re:OMG (1)

sexconker (1179573) | more than 5 years ago | (#24409531)

Grow up.
Book is useless.
Honeypots are useless.

They don't protect you, they simply let you analyze methods of attack. But when you open up known methods of attack, you don't learn anything about new ones. If someone can run code on your system, you're fucked. There's nothing to gain from analyzing what an attacker did to a honeypot after getting access unless you are a computer (in)security company.

Honeypots do not protect you.
They do not distract attackers since - surprise - they can attack many targets at once.
They rarely provide any useful research data since honeypots are easy to access.
They don't lead to jail time for hackers (one of the original intentions).

Yawn.

Re:OMG (1)

Jansingal (1098809) | more than 5 years ago | (#24407147)

so what's your point?

not everyone is as smart as you, and well,
some people need a book like this.

if you don't like it, dont buy it.
better.... write something WE can use.

Re:OMG (0, Flamebait)

sexconker (1179573) | more than 5 years ago | (#24409555)

My point is that honeypots are useless.
I'm shocked to see people still talking about them.

I hear this internet thing is going to be pretty big.

Bill Gates is promising. âoeTwo years from no (1)

cwAllenPoole (1228672) | more than 5 years ago | (#24405821)

It is said that the generals of today are fighting yesterday's war. In the war of Mal AI's vs. defending AI's, it seems that this book's purpose is simply the defense against already existing technologies which will be very quickly outmoded, and while it is more than beneficial to be prepared for malicious bots, is there a way that this can project the future and give proactive techniques?

Not really. (4, Insightful)

khasim (1285) | more than 5 years ago | (#24406311)

... is there a way that this can project the future and give proactive techniques?

Not really. We already know how machines are cracked.

All this research does is find out what tools are being used today.

And as you can see with the need to constantly download updated "virus signatures", that approach is useless in defending your systems.

To really defend your system, you need to be able to lock down all the executables on your system. And you need a way to verify that those executables stay locked down. And that there is no other way to get an executable to run on your system.

Re:Bill Gates is promising. âoeTwo years from (0)

Anonymous Coward | more than 5 years ago | (#24407493)

it seems that this book's purpose is simply the defense against already existing technologies which will be very quickly outmoded
They become outmoded because defenses are developed against them.

is there a way that this can project the future and give proactive techniques
No. Once we're prepared for an attack technique, it's outmoded, and the attackers move on to something else.

obligatory simpsons quote (0)

Anonymous Coward | more than 5 years ago | (#24405931)

Mmmmm...Honey

Anonymous Coward. (0)

Anonymous Coward | more than 5 years ago | (#24405999)

something something

fp Fagorz?! (-1, Offtopic)

Anonymous Coward | more than 5 years ago | (#24406023)

Interesting addition to security (3, Interesting)

Anonymous Coward | more than 5 years ago | (#24406171)

Sure, the idea has been around for a long while. But, real security is based on misinformation. If you want to protect some data, you create multiple copies of the data all of which appear to be about the same thing, but all reaching different conclusions.It is not so much a honeypot to attract, but a honeypot to create doubt.

It also buys you time; if you have multiple honeypots then the chance of your main systems being compromised is lessened. If it can be done quickly and inexpensively then it is probably worth it for some large companies.

If you think a honeypot should just be unpatched and ready for the taking, then you have the wrong approach, most should be patched at least to the level of your other systems. I suppose the term honeypot is wrong, decoys would be better. But, the same technology is being used.

Re:Interesting addition to security (2, Insightful)

Nos. (179609) | more than 5 years ago | (#24406401)

Sure, the idea has been around for a long while. But, real security is based on misinformation. If you want to protect some data, you create multiple copies of the data all of which appear to be about the same thing, but all reaching different conclusions.It is not so much a honeypot to attract, but a honeypot to create doubt.

That sounds a lot like security through obscurity to me.

As far as I'm concerned, a honeypot is not a security tool, its a security research tool, and there's a vast difference between the two

Re:Interesting addition to security (1)

192939495969798999 (58312) | more than 5 years ago | (#24406937)

Right, a "free warez" folder isn't what the hardcore data criminal is looking for, whereas two very similar oracle databases, each with encrypted cc numbers but one bogus might be confusing enough to cause a slowdown that allows an attack to either be detected, thwarted, or tracked for evidence used in a prosecution.

Sh1t? (-1, Troll)

Anonymous Coward | more than 5 years ago | (#24406351)

All major maRketing hapless *BSD

Pretty isn't it? (2, Funny)

Anonymous Coward | more than 5 years ago | (#24406425)

http://xkcd.com/350/

A bit dated (1)

joshmobile (836033) | more than 5 years ago | (#24406445)

This book came out over a year ago. It's actually a good read although a bit dated.

Re:A bit dated (1)

Jansingal (1098809) | more than 5 years ago | (#24407191)

please, please please...

Tell me one thing in the book that is dated.

Re:A bit dated (0)

Anonymous Coward | about 6 years ago | (#24414567)

That's the "war cry" of the defeated in this field (and you'll never get any statement back on it): It's the typical "what have you done lately" from those that never hav done anything of note in this art & science, period. Get used to it, you'll see it quite a lot, & especially from those that are "underachieving blowhards".

http://www.neuraliq.com/ (1)

keepper (24317) | more than 5 years ago | (#24406561)

Seems a lot of what this book talks about, is done by neuralip's devices.

Plug in 3 2 1 ... http://www.neuraliq.com/

Easy concept to stop confusion (4, Informative)

Anonymous Coward | more than 5 years ago | (#24406833)

Useful honeypots are patched to the level of the rest of your computers/servers on your network. Then you simply watch traffic running to (and from) them, because by default, they should have no traffic. (minus the broadcasts and regular auto discovery packets) You know that any traffic to and from this box is suspicious on the grounds that it is not actually used for anything.

Honeypots are NOT unpatched boxes completely exposed to the internet for all to attack. Unless you are into malware/virus research. Even then, patching allows you to keep up with the latest threats. If your patched box got owned, you need to look at it =)

Re:Easy concept to stop confusion (0)

Anonymous Coward | more than 5 years ago | (#24409765)

If a honeypot is not receiving traffic, it's not a very sweet target. If there's a malicious user on your network, they could also be watching your traffic and will never even see your honeypot. Your honeypot can be connecting to your internal webservers, mailservers and network shares. Then the traffic is filterable and it appears more like a real computer. Otherwise they'll only find your honeypot through scanning (which may trip an IDS).

Sweet Obscurity (0)

Anonymous Coward | more than 5 years ago | (#24407259)

Honeynets always felt like security through obscurity to me, I get it, they have their place. but it still just feels....wrong.

From the headline (1)

Count_Froggy (781541) | more than 5 years ago | (#24407461)

From the headline, I thought this was something for Winnie the Pooh.

what no porn! (0)

Anonymous Coward | more than 5 years ago | (#24407889)

How can you have a title "Virtual Honeypots" and no porn! goddamn geeks

Mantrap was one 8 years ago (1)

lrc (5755) | more than 5 years ago | (#24408041)

When I was at Recourse (which got borged by Symantec) we had a virtual honeypot called Mantrap. It was on the market when I started there in 2001.

Trap them web crawlers (1)

minhlish (1336351) | about 6 years ago | (#24413859)

Wouldn't mind setting up a honeytrap to filter out those chinese crawlers...
Check for New Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>