Honeycomb and the current state of Honeypot Technology

1
Honeycomb and the currentstate of Honeypot
Technology

• Christian Kreibich

2
Coming up ...

• Introduction to Honeypots
• Current state of the art Honeynets
• Honeycomb - automated NIDS signature creation
• Three days in the life of an unprotected cable
  modem connection

3
So whats a Honeypot?

• A Honeypot is a computer resource set up for the
  purpose of monitoring and logging the activities
  of entities that probe, attack or compromise it.
• (My attempt on honeypots_at_securityfocus.com)
• No production value, should see no traffic.
• Interaction with these systems likely malicious.
• Flexible concept, not a fixed tool.
• Not new Coockoos Egg, Evening with Berferd

4
Types of Honeypots

• Low interaction
• Trap files, database entries etc (Honeytokens)
• Emulated services and operating systems
• Easier to deploy, limited capabilities.
• High interaction
• Runs real systems
• Need to limit harm that can be done
• More to learn, more complexity, more risk!

5
Low interaction fake services

• From a fake FTP server shell script

case command in QUIT ) echo -e
"221 Goodbye.\r" exit 0
SYST ) echo -e "215 UNIX Type L8\r"
HELP ) echo -e "214-The
following commands are recognized ( gt's
unimplemented).\r" echo -e " USER PORT
STOR MSAM RNTO NLST MKD
CDUP\r" echo -e " PASS PASV APPE
MRSQ ABOR SITE XMKD XCUP\r" echo -e
" ACCT TYPE MLFL MRCP DELE SYST
RMD STOU\r" echo -e " SMNT STRU
MAIL ALLO CWD STAT XRMD
SIZE\r" echo -e " REIN MODE MSND
REST XCWD HELP PWD MDTM\r" echo -e
" QUIT RETR MSOM RNFR LIST NOOP
XPWD\r" echo -e "214 Direct comments to
ftp_at_domain.\r"
6
High interaction Honeynets

• Gen II Honeynet

Internet
Production Network
Honeypots
7
High interaction Honeynets

• Gen II Honeynet

• Honeywall
• Layer 2 bridge
• IDS Gateway
• iptables
• snort_inline
• Control Report interface

Internet
Production Network
Honeypots
8
snort_inline

• drop tcp EXTERNAL_NET any -gt HOME_NET 53
  (msg"DNS EXPLOIT named"flags A
  content"CD80 E8D7 FFFFFF/bin/sh"
• alert tcp EXTERNAL_NET any -gt HOME_NET 53
  (msg"DNS EXPLOIT named"flags A
  content"CD80 E8D7 FFFFFF/bin/sh"
  replace"0000 E8D7 FFFFFF/ben/sh")

9
High interaction Honeynets

• Gen II Honeynet

• Sebek2
• Surveillance rootkit
• Kernel module
• Captures all activity on pots
• Sends details to Honeywall
• Prevents sniffing of its traffic
• Sebeksniff

Internet
Production Network
Honeypots
10
Honey Inspector
11
Honeycomb

• Goal automated generation of NIDS signatures
• Name? Nice double meaning ...

12
Honeycomb

• Goal automated generation of NIDS signatures
• Name? Nice double meaning ...
• Combing for patterns in Honeypot traffic

13
Honeycombs Architecture
14
Honeycombs Algorithm
15
Pattern Detection (I)

• Stream reassembly

16
Pattern Detection (II)

• Longest-common-substring (LCS) on pairs of
  messages
• fetaramasalatapatata
• insalataramoussaka
• Can be done in O(m1 m2) using suffix trees
• Implemented libstree, generic suffix tree library
• No hardcoding of protocol-specific knowledge

17
Pattern Detection (II)

• Longest-common-substring (LCS) on pairs of
  messages
• fetaramasalatapatata
• insalataramoussaka
• Can be done in O(m1 m2) using suffix trees
• Implemented libstree, generic suffix tree library
• No hardcoding of protocol-specific knowledge

18
Pattern Detection (III)

• Horizontal detection
• LCS on pairs of messages
• each message independent
• e.g. (persistent) HTTP

19
Pattern Detection (IV)

• Vertical detection
• concatenates incoming messages
• LCS on pairs of strings
• for interactive flows and to mask TCP dynamics
• e.g. FTP, Telnet, ...

20
Signature Pool

• Limited-size queue of current signatures
• Relational operators on signatures
• sig1 sig2 all elements equal
• sig1 ? sig2 sig1 contains subset of sig2s
  facts
• signew sigpool signew ignored
• signew ? sigpool signew added
• sigpool ? signew signew augments sigpool
• Signature correlation on destination ports
• Avoids duplicates for trivial flows (portscan!)

21
Results

• We ran Honeycomb on an unfiltered cable modem
  connection
• Honeyd setup fake FTP, Telnet, SMTP, Apache
  services, all Perl/Shell scripts.
• Three day period
• Some statistics
• 649 TCP connections, 123 UDP connections
• 143 Pings, almost exclusively UDP port 137
  (NetBIOS)
• Full traffic volume 1MB
• No wide-range portscanning

22
TCP Connections
HTTP
Kuang2 Virus/Trojan
NetBIOS - W32/Deluder Worm
NetBIOS - open shares
Microsoft SQL Server
23
UDP Connections
NetBIOS Nameservice
Messenger Service
Slammer
24
Signatures created Slammer

• 1434/UDP worm, Microsoft SQL Server buffer
  overflow
• Honeyd log
• 2003-05-08-022643.0385 udp(17) S 81.89.64.111
  2943 192.168.169.2 14342003-05-08-022743.0404
  udp(17) E 81.89.64.111 2943 192.168.169.2 1434
  376 02003-05-08-095838.0807 udp(17) S
  216.164.19.162 1639 192.168.169.2
  14342003-05-08-095938.0813 udp(17) E
  216.164.19.162 1639 192.168.169.2 1434 376
  02003-05-08-171524.0072 udp(17) S
  66.28.200.226 6745 192.168.169.2
  14342003-05-08-171624.0083 udp(17) E
  66.28.200.226 6745 192.168.169.2 1434 376 0
• Signature
• alert udp any any -gt 192.168.169.2/32 1434 (msg
  "Honeycomb Thu May 8 09h58m38 2003 " content
  "04 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01
  01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01
  01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01
  01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01
  01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01
  01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01
  01 DC C9 B0BEB 0E 01 01 01 01 01 01
  01pAEB01pAEB90 90 90 90 90 90 90 90hDC
  C9 B0BB8 01 01 01 011C9 B1 18PE2 FD501 01
  01 05P89E5Qh.dllhel32hkernQhounthickChGetTfB9
  llQh32.dhws2 fB9etQhsockfB9toQhsendBE 18 10
  AEB8DED4PFF 16P8DEE0P8DEF0PFF
  16PBE 10 10 AEB8B 1E 8B 03U8B ECQt05 BE
  1C 10 AEBFF 16 FF D01C9QQP81 F1 03 01 04 9B
  81 F1 01 01 01 01Q8DECCP8BEC0PFF
  16j11j02j02 FF D0P8DEC4P8BEC0PFF
  16 89 C6 09 DB 81 F3ltaD9 FF 8BEB4 8D 0C_at_8D
  14 88 C1 E2 04 01 C2 C1 E2 08)C2 8D 04 90 01 D8
  89EB4j10 8DEB0P1C9Qf81
  F1x01Q8DE03P8BEACPFF D6 EB" )
• Full worm detected

25
Signatures created CodeRedII

• 80/TCP worm, Microsoft IIS Buffer Overflow
• Hit more than a dozen times
• alert tcp 80.0.0.0/8 any -gt 192.168.169.2/32 80
  (msg "Honeycomb Tue May 6 11h55m20 2003 "
  flags A flow established content "GET
  /default.ida?XXXXXXXXXXXXXXXXXXXXX
• XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
  XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
  XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
  XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
  XXXu9090u6858ucbd3u7801u9090u6858ucbd3u780
  1u9090u6858ucbd3u7801u9090u9090u8190u00c3
  u0003u8b00u531bu53ffu0078u0000u00a
  HTTP/1.00D 0AContent-type text/xml0AContent-l
  ength 3379 0D 0A 0D 0A C8 C8 01 00E8 03 00
  00 00 CC EB FEdgFF600 00dg8900 00 E8 DF
  02 00 00h04 01 00 00 8D 85\FE FF FFPFFU9C
  8D 85\FE FF FFPFFU98 8B_at_10 8B 08 89
  8DXFE FF FF FFUE404 04 00 00 0F 94 C104
  08 00 00 0F 94 C5 0A CD 0F B6 C9 89 8DTFE FF FF
  8Bu08 8109A 02 00 00 0F 84 C4 00 00 00
  C7F09A 02 00 00 E8 0A 00 00 00CodeRedII00 8B
  1CFFUD8f0B C0 0F 95 858FE FF FF C7
  85PFE FF FF 01 00 00 00j00 8D 85PFE FF
  FFP8D 858FE FF FFP8BE08 FFp08 FF 90 84
  00 00 00 80 BD8FE FF FF 01thSFFUD4 FFUEC
  01E84iBDTFE FF FF,01 00 00 81 C7,01 00
  00 E8 D2 04 00 00 F7 D0 0F AF C7
  89F48DE88Pj00 FFu08 E8 05 00 00 00 E9 01
  FF FF FFj00j00 FFUF0PFFUD0OuD2
  E805 00 00iBDTFE FF FF 00\05 81 C7
  00\05WFFUE8j00j16 FFU8CjFF FFUE8
  EB F9 8BF4)E84jdFFUE8 8D 85ltFE FF
  FFPFFUC0 0F B7 85ltFE FF FF88 88 00
  00sCF 0F B7 85gtFE FF FF 83 F8 0AsC3fC7
  85pFF FF FF 02 00fC7 85rFF FF
• Full worm, due to vertical detection server
  replies before all packets seen!

26
Signatures detected others

• alert tcp 64.201.104.2/32 any -gt 192.168.169.2/32
  1080,3128,4588,6588,8080 (msg "Honeycomb Mon May
  5 19h04m12 2003 " flags S flow stateless )
• Lookup 2.104.201.64.in-addr-arpa domain name
  pointer for.information.see.proxyprotector.com

27
Signatures detected others

• alert tcp 64.201.104.2/32 any -gt 192.168.169.2/32
  1080,3128,4588,6588,8080 (msg "Honeycomb Mon May
  5 19h04m12 2003 " flags S flow stateless )
• Lookup 2.104.201.64.in-addr-arpa domain naime
  pointer for.information.see.proxyprotector.com
• alert udp 81.152.239.141/32 any -gt
  192.168.169.2/32 135 (msg "Honeycomb Thu May 8
  12h57m51 2003 " content "15 00 00 00 00 00 00
  00 15 00 00 00YOUR EXTRA PAYCHEQUE00 E1 04x0C
  00 00 00 00 00 00 00 0C 00 00 0080.4.124.4100
  01 00 00 00 00 00 0001 00 00 Amazing
  Internet Product Sells Itself!0D 0AResellers
  Wanted!
  GO TO.....
  
  
  www.Now4U2.co.uk" )

28
Signatures detected others

• alert tcp 64.201.104.2/32 any -gt 192.168.169.2/32
  1080,3128,4588,6588,8080 (msg "Honeycomb Mon May
  5 19h04m12 2003 " flags S flow stateless )
• Lookup 2.104.201.64.in-addr-arpa domain naime
  pointer for.information.see.proxyprotector.com
• alert udp 81.152.239.141/32 any -gt
  192.168.169.2/32 135 (msg "Honeycomb Thu May 8
  12h57m51 2003 " content "15 00 00 00 00 00 00
  00 15 00 00 00YOUR EXTRA PAYCHEQUE00 E1 04x0C
  00 00 00 00 00 00 00 0C 00 00 0080.4.124.4100
  01 00 00 00 00 00 0001 00 00 Amazing
  Internet Product Sells Itself!0D 0AResellers
  Wanted!
  GO TO.....
  
  
  www.Now4U2.co.uk" )
• 135/UDP lets you pop up spamHHHH Internet
  Advertisements on other Windows machines via
  Messenger Service

29
Signatures detected others

• alert tcp 64.201.104.2/32 any -gt 192.168.169.2/32
  1080,3128,4588,6588,8080 (msg "Honeycomb Mon May
  5 19h04m12 2003 " flags S flow stateless )
• Lookup 2.104.201.64.in-addr-arpa domain naime
  pointer for.information.see.proxyprotector.com
• alert udp 81.152.239.141/32 any -gt
  192.168.169.2/32 135 (msg "Honeycomb Thu May 8
  12h57m51 2003 " content "15 00 00 00 00 00 00
  00 15 00 00 00YOUR EXTRA PAYCHEQUE00 E1 04x0C
  00 00 00 00 00 00 00 0C 00 00 0080.4.124.4100
  01 00 00 00 00 00 0001 00 00 Amazing
  Internet Product Sells Itself!0D 0AResellers
  Wanted!
  GO TO.....
  
  
  www.Now4U2.co.uk" )
• 135/UDP lets you pop up spamHHHH Internet
  Advertisements on other Windows machines via
  Messenger Service
• alert tcp 80.4.218.53/32 any -gt 192.168.169.2/32
  80 (msg "Honeycomb Thu May 8 07h27m33 2003 "
  flags PA flow established content "GET
  /scripts/root.exe?/cdir HTTP/1.00D 0AHost
  www0D 0AConnnection close0D 0A 0D" )

30
Summary

• System detects patterns in network traffic
• Good at worm detection if not polymorphic!
• Approach still simplistic approximate matching?
• TODO list
• Reasonable setup ?
• Performance evaluation
• Better signature reporting scheme
• Log processing suite
• Closer integration with honeyd

31
Thanks!

• Shoutouts a13x hØ 1ance
• No machines were harmed or compromised in the
  making of this presentation.
• honeypots_at_securityfocus.com
• Questions?