[Plumbercon/Ninjacon] CSN.OR.AT Community Sense Net – Honeypot+
July 11, 2010
Posted by on
CSN.OR.AT Community Sense Net – Honeypot+
Since Clifford Stoll created the first honeypots in 1989 to safely investigate attacks to computer systems, honeypots have been all around. Although they have been refined and extended, fundamental problems in either attack coverage or visual representation have been plaguing those systems. CSN.OR.AT was an ISPA funded project to address those two issues and provide the necessary information and software to build the honeypot+ discussed in this talk.
Project is now renamed to Honeypot++
Project was started and sponsored by ISPA (Internet Service Provider Austria)
The project tries to be more user friendly and business friendly using open sources reporting engines to allow for more graphical representation of the information.
The infrastructure uses VPN to communication back from the Honeypot to a central station.
100% based on open-source software
- Amun Honeypot
- Snort IDS
- Surfnet IDS
Includes an SMTP honeypot. The domain exists, but not listed anywhere. This means that any incoming email is considered malicious. The SMTP honeypot is written in Python.
Many of the attacks seen are VERY outdated (e.g. Symantec buffer overflows). Most examples provide links to malicious websites instead of sending actual exploits through emails (which are usually filtered).
Most attacks originate from :
Statistically, the top 3 attacks seen are :
Most exploits are for DCOM/LSASS/ASN.1 failures in Windows systems. Most of these flaws have been patched by Microsoft for years, but are still being exploited.
Statistical and Top-Lists are provided in XML format from the homepage.
Malware samples are available on request, for research purposes
Newly added service
Provides a search for IP of MD5… more searches comming
- MD5 of malware sample checks against the CSN database of seen malware
- IP search provides a check if attacks against the honeypot have been seen from this address
- More sensors
- Integration of high interaction honeypots
- Install a sensor, get the reports for free –> take part in the project
- Possible interaction with DShield
Plumbercon/Ninjacon Synopsis –> http://plumbercon.org/schedule/57
Twitter – Florian Eichelberger –> http://twitter.com/florensik
Community Sense Net –> http://csn.or.at
Community Sense Net Search –> http://search.csn.or.at
Eurotrash MicroTRASH interview –> MP3
Amun Honeypot project –> http://amunhoney.sourceforge.net/
SURFids –> http://ids.surfnet.nl