Sebek  On  Windows  (XP  SP3)  Install  and  Configure  

1

載入WinXP    GuestOS  

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

Turn  off  Windows  firewall

18

19

Sebek  Tes?ng  1    using  backtrack

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

Sebek  Tes?ng  2    using  backtrack

41

42

請各位學員觀察 Walleye  產生的記錄

43

Offline  PCAP  Analysis  Using  Sebek  Tools  and  Honeysnap

44

Sebek  Tools

•  Two  sets  of  sample  incident  data  (and  your  own  data  from  your  class  honeynets):  – 1  from  Mexican  honeypot  (192.168.100.28)  example.pcap.gz  

–  1  from  UK  honeypot  (82.68.40.145)  20040319/*.gz

45

•  gunzip  honeynet/20040319.gz  ;    •  ls  -­‐l  honeynet/20040319  •  more  honeynet/20040319/snort_fast

46

•  sbk_extract    –f  honeynet/20040319/snort.log.1079654706  |  

•  sbk_ks_log.pl  |  more

47

•  sbk_extract  -­‐f  honeynet/20040319/snort.log.1079654706  |  

•  sbk_ks_log.pl  |  grep  bash  |  more

48

Honeysnap

•  Command-­‐line  tool  for  parsing  single  or  mul?ple  pcap  data  files  

•  Outputs  a  'first-­‐cut'  analysis  report  to  iden?fy  poten?ally  significant  events  

•  Typically  run  off-­‐line  in  batch  mode,  perhaps  as  a  nightly  email  report  

•  Just  need  to  provide  it  with  the  IP  address  of  the  honeypot  /  node  of  interest

49

Honeysnap  (Cont.)

•  Packet  and  connec?on  overview  •  Simple  flow  extrac?on  (ASCII  based)  •  Common  protocol  decoding  •  Binary  file  transfer  extrac?on  •  Flow  summary  of  in/outbound  connec?ons  •  Keystroke  extrac?on  of  Sebek  v2/v3  data  •  Iden?fica?on  and  analysis  of  IRC  traffic,  •  including  keyword  matching

50

Using  Honeysnap

•  honeysnap  -­‐h

51

•  honeysnap  -­‐H  192.168.100.28  honeynet/example.pcap

52

•  honeysnap  -­‐H  192.168.100.28  –-­‐op?on1  –-­‐op?on  2  

       honeynet/example.pcap

53

54

55

56

57

可觀察多種Protocol  連線內容，(p.、h,p、irc  and  DNS

Honeysnap    Install  in  Honeywall •  hips://projects.honeynet.org/honeysnap/wiki/WikiStart  

•  Install  pypcap:  rpm  –ivh    pcap-­‐1.1-­‐1.i386.rpm  

•  Install  honeysnap  :    – $  tar  xvzf  honeysnap-­‐1.0.6    – $  cd  honeysnap-­‐1.0.6    –   $  sudo  python  setup.py  install

58

Honeysnap  Instruc?ons: •  解析Honeywall    Pcap封包:    –  honeysnap  -­‐c  honeynet.cfg    example.pcap  

•  basic  informa?on:  –  honeysnap  -­‐H192.168.100.28  example.pcap    

•  解析特定Protocol並將資料寫到檔案  –  honeysnap  –H192.168.100.28  -­‐-­‐do-­‐hip    -­‐f  /home/roo/analysis/results.txt    example.pcap  

•  完整解析產生報告  –  honeysnap  -­‐H192.168.100.28  -­‐-­‐do-­‐outgoing  -­‐-­‐do-­‐irc  -­‐-­‐do-­‐lp    -­‐-­‐do-­‐sebek  -­‐-­‐do-­‐hip  -­‐-­‐do-­‐outgoing  -­‐o  /home/roo/analysis  -­‐f  /home/roo/analysis/results.txt    example.pcap  

59

Q  &  A

61