Re: Help... Distributed Honeynets

[victor calzado <vcalzado () gmail com>]

Hi David,
On Fri, 28 Jan 2005 19:06:14 -0600, David Jiménez Domínguez
<djdsecurity () gmail com> wrote:
> Hi list...
>
> I'm thinking about the development of a distributed honeynet
> infrastructure in a university, It has affiliates who would develop
> theit own honeynet around the country.... I would like to watch all
> the traffic of this honeynets in a central location in almost real
> time. 
> What kind of tools, technology, or ideas would you recommend to
> me??

What kind of honeypots do you need to deploy?

If you are only interested in logging in a low interaction enviroment
perhaps remote syslog could be perfect for you at least in the first
stages or the development. Connections will be logged in a remote
syslog where alterts could be generated.

Honeyd scripts could be easily modifed to send alerts to syslog
logging wiht Net::Syslog perl extensions so you could even log scripts
information.

syslog-ng, msyslog  or any other modification from syslog could be
used to improve performance and to add additional funcionalies such
database logging.

IPSEC tunneling or a simple ssh port forwarding could be used to
protect data from tampering with almost no extra work.



The Distributed network will work as a distributed passive sensor
network in  "real time". This could be very useful against distributed
denial of services, worms, spammer activities or even when someone is
very interested breaking through a really big network.

Latency and performance should be pretty similar to a general propouse
remote syslog server so it probably won't be an issue.

After using the "network" for a month you probably have enough data to
test remote syslog solution performance and you will be able to tune
logging facilities in the systems. You will also get a high ammount of
data to test the ability of your log analyzer to correlate patterns so
DDoS attacks or worms and spammers activities could be easily
detected.

It's very easy to think in more complex deployments of honeypot
sensors and better logging systems could be implemented but i think
the real "work" will start in the log host that should be able to
correlate logs from all the network sensor so you get not only
centralized logging and filtering system  but a real distributed
sensor engine.

Log correlation is a critical issue in Intrusion Detection on a single
host system so getting distributed correlation doesn't seem an easy
task but i'm sure there's a lot information and GPL software that
could do the work at least in the first stages of the deploy.


I'm thinking in low interaction honeypots because high interaction
systems seems useless in distributed networks, but it's only a
personal opinion.
If you want to use honeywall an sebek in high interaction honeypots
you will get a lot of problems, even bandwith problems, and the high
ammount of data collected probably couldn't  be used in a Distributed
Sensors and Central Log Host scenario.


> Where can I find documentation about it??

You could get information about secure and centralized syslog systems here:

http://www.securityfocus.com/infocus/1613


If you want a more complex aproach maybe you find code and ideas in
the  snortnet proyect.
Anyway keep in mind that IDS are a kind of  "active sensor" and have
to deal with higher network traffic volumen than a "passive sensor"
like honeynet based sensors and maybe the remote syslog solution will
work find for you.

I don't know if snornet project is still active but you could find
useful information here:
http://www.netsys.com/library/papers/snortnet.pdf

> What kind of latency problems might exists??
>
> Regards
Regards,
Victor

PD: Let me know if you need/want any help


Kind 

> David Jiménez Domínguez
> --------------------------------------------------------------------------------