The Philippine Honeynet Project Status Report for the months of September and October 2005 1.0 DEPLOYEMENTS ================= 1.1 Current technologies deployed. Please include diagrams, so others could replicate your methods. If this has not changed since the last report, please link to the information so readers can reference (and learn from it). Our main honeynet deployment is primarily based on Honeywall ROO technology. Details can be viewed at the following URL: http://www.philippinehoneynetorg/aboutus.php We also have several "test" honeypots connected using business DSL connections. These are primarily Windows based honeypots with Snort set up in packet capture mode. 1.2 Lessons learned from the technology, what you like about it. Honeynets based of Honeywall ROO technology are very convenient and very easy to deploy. This makes it very good for people who want to focus on information gathering, collection and analysis rather than the technology. It also seems be the the safest and most low-maintenance method because the people who built this already had in mind the requirements and standards of data capture and data control. In fact, some guys from Viet Nam contacted us a month ago asking for help in setting up a honeynet for their organization. We just pointed them in the right direction (and to ROO) as what the Honeynet Project and the French Honeynet Project did to us when we started. Now, they have deployed a honeynet and are using it for research. 1.3 Lessons learned from the technology, what is lacking, what you would like to see improved. Installing and deploying ROO takes so little effort and prior knowledge about honeypot deployments and technologies. The downside that I see in this is that people using this pre- packaged deployment would tend to miss out on the real joy of tinkering and dissecting the individual technologies that make up the honeynet and how they are used in conjunction with each other. In my opinion, for newbies, it does stifle a bit of creativity for those who would have benefited from studying the basics or those who want to explore other options other than the predefined setup. This is the reason why we also opted to set up other honeypots that does not use Honeywall technology. 2.0 FINDINGS ============= 2.1 Number and type of systems compromised during six month period. We had 1 major compromise, a number of worm and virus infections and several warez intrusion activities in the past 2 months all in our Windows 2000 Server honeypot. 2.2 Highlight any unique findings, attacks, tools, or methods. No unique findings so these are just basic observations: * compromise by an attacker who used the WINS buffer overflow vulnerability to break into our Windows 2000 Server honeypot. As of this writing, all the attacker did was to explore the directory structure of our honeypot. We are monitoring for further activity. * Warez activity has been increasing as of late particularly the use of Grim's Ping to scan for writable anonymous FTP sites. * Welchia / Nachi activity has been the most predominant intrusion activity as of late. 2.3 Any trends seen in the past six months; We are officially only 2 months old so there is still no indicative trends yet. But we did notice an increase in Welchia / Nachi worm activity the past few weeks. I believe this peculiarity has also been observed in the Singapore Honeynet Project data. 2.4 Document data analysis tools and methods being used. Aside from Walleye in our main honeynet, we are using MySQL, MySQL Query Browser, Ethereal and our own intrusion reporting tool (unnamed yet) developed in-house by the Philippine Honeynet Project. 2.5 For data analysis what tools work well, and what still needs to be developed. We prefer working directly in MySQL to mine data. Unfortunately, we find the new MySQL Query Browser's interface very clunky. In fact, the old MySQL Control Center, if it were not limited to a 1000 row view would have been much more suited for our use. Ethereal as always, works quite well but is very hard specially if you want to do long term trends analysis. Since we use mostly Windows machines, we've decided to develop our own unnamed graphical intrusion reporting tool because we were having a hard time installing ACID and other graphically oriented tools in Windows. We are continuing development of the said tool. 3.0 MISC ACTIVITIES ==================== 3.1 Presenting at conferences We have been invited to present our findings by OWASP Manila Chapter (http://www.owasp.org/local/manila.html). We will be presenting in their 2nd official meeting. 3.2 Developing, testing or releasing code We are currently developing a Snort / PHP / MySQL based daily intrusion reporting tool. The tool generates daily graphs and reports based on Snort intrusion events. It helps us detect, trace and sift through the relatively large amount of logs everyday. The premise here, at least for us, is that intrusions are better detected and traced by proper chart analysis and interpretation. The tool, used in our Honeynet Activity Monitor and yet unnamed generates our website and it's data section. To see the output, please visit our website: http://www.philippinehoneynet.org http://www.philippinehoneynet.org/data.php Snort has expressed interest in it to be included in their website together with other Snort related projects (http://www.snort.org/community/snort_projects.html). On the downside, we are using a 3rd party graphics engine which you need to get a license in order to use it without banner ads. But it does look pretty and we belive is quite useful. 3.3 Publication of papers We have one paper which has been conditionally accepted by the AACE (Association for the Advancement of Computing in Education). The paper is called "Honeynet Learning", primarily focused on the use of honeynets / honeypots in IT Security education. An anonymized draft can be found here: http://www.philippinehoneynet.org/docs/honeynetlearning_anonymize.doc 3.4 Involvement in SotM challenges. No involvement yet. 3.5 Other Nothing more. 4.0 ORGANIZATIONAL ================== 4.1 Changes in your structure of your organization. There has been no change in our organization. 5.0 LESSONS LEARNED =================== 5.1 What positive things can you share with the community, so they can replicate your success. I can't say of any "success" of ours to replicate since our organization is still quite young but we can definitely share our experiences on how we began this endeavor . As I've said earlier, we we're able to help an organization in Viet Nam to set up their honeynet. Since our "beginnings" are still fresh to us, we can relate to their experience and specially the problems that they are bound to encounter through inexperience because just recently we have just been experiencing them ourselves. We can also share our intrusion reporting tool once we're ready with it as well as our "Honeynet Learning" paper once its finalized. 5.2 What mistakes can you share with the community, so they don't make the same mistakes. Here's are some words of "wisdom"(?) from us: * Worm and virus infections can bloat your logs and cause a myraid of storage related problems. * Don't underestimate the daily work involved in data analysis. * Since you'll probably be using old machines, never trust the machine. Always make backups. 6.0 FUTURE GOALS ================ 6.1 Plans/Goals for next six months For the next couple of months, we hope to continue development on our intrusion reporting tool particularly the scripts which makes our polar intrusion graphs (the one which looks like a large radar in our homepage) which helps us indentify, trace and sift through the rather large amount of log entries so we can concentrate on the more "intresting" threats that we can analyze manually. We shall also finalize the "Honeynet Learning" paper and share it with the group.