Hi Reena,
Are you looking for a development project (eg creating/deploying
honeypots, etc) or an analysis project (eg collect and analyse data
from honeypot), or some combination thereof ?
:-)
> -----Original Message-----
> From: Reena Pau [mailto:rp302_at_ecs.soton.ac.uk]
> Sent: 13 May 2004 13:49
> To: Dan Hawrylkiw; 'dcneting'; focus-virus_at_securityfocus.com;
> honeypots_at_securityfocus.com
> Subject: Final Year Project Ideas
>
>
> Hi,
> I am currently at southampton uni, uk. I have jst completed
> my second year
> research project on honeypots and how they are contributing
> to fight against
> cyber crime. I would like to develop this project alot
> further in the third
> year for my final year project! I am however stuck for
> ideas..... I have got
> unlimited uni resources (the ecs departemetn is amazing here
> at southampton
> uni)..... so its just a case of getting ideas. I am
> particularly intrested
> in the psychology of hacking...etc
>
> Lance I dont know if this e-mail is for too 'basic' or
> inappropriate for
> teh forum!
>
> ANY ideas would be fab!!!
> Regards
> Reena
>
>
>
>
>
>
> ----- Original Message -----
> From: "Dan Hawrylkiw" <idontcheckthisaccount_at_panira.net>
> To: "'dcneting'" <ansiry_at_tm.net.my>; <focus-virus_at_securityfocus.com>;
> <honeypots_at_securityfocus.com>
> Sent: Thursday, May 13, 2004 8:28 AM
> Subject: RE: any other tool to detect worm?
>
>
> >
> > The most appropriate answer to your questions depends on 1.)what
> > information you want, 2.)how much you're willing to configure
> > (preparation), and 3.)the amount of analysis you're willing
> to put into
> > it (sustaining).
> >
> > For myself:
> > 1.) When a new worm hits, I want to know how it gets into
> the victim,
> > what it does to the victim, and how it scans/propagates. I
> also want
> > network traces and code samples. Oh yeah- I also want to
> be notified
> > within a couple minutes after this happens. :)
> > 2.) I'm willing to do pre-work if it reduces the day-to-day analysis
> > required
> > 3.) I do everything possible to avoid having to review the same old
> > boring noise (scans, probes, and failed exploit attempts) on a daily
> > basis.
> >
> > I'll spare the list from one of my diatribes on
> signature-based IDS' and
> > worms. By itself, signature based NIDS is
> hit-and-(usually)miss against
> > new worms. On a typical network, you *can* increase your ability to
> > pick up anomalous traffic, but the cost is a substantial increase in
> > alerts that must be reviewed.
> >
> > If NIDS is used to monitor a honeypot, several new options
> open up. It
> > isn't too difficult to filter out the everyday noise and capture
> > everything else. I monitor my honeypots with SNORT, but I
> create pass
> > rules for everything I don't care about- including scans
> against closed
> > ports, old worm attacks that the honeypot isn't vulnerable to, and
> > script kiddie noise. Everything that isn't filtered will either be
> > picked up in the current ruleset or the catchall rules I've
> configured.
> > Basically, my honeypots are monitored by an 'inverse' NIDS
> that alerts
> > on everything except scans and well-known attacks.
> >
> > As far as honeypots designed to detect or capture new worms; there's
> > only one way to go, and that's high-interaction. The only way to
> > emulate an OS' response to an unknown attack is to,
> --well--, use *the*
> > OS! I prefer to run vulnerable machines in VMware and have
> the host OS
> > perform additional monitoring. For worm detecting honeypots, I
> > typically set up Windows 2000 machines and leave them several months
> > behind on patches. If you're interested in capturing
> attacks against a
> > specific critical update, make sure the honeypot is patched against
> > everything but that update. I usually enable auditing on
> the honeypot
> > and configure the host OS to capture all packets sent
> to/from the guest
> > OS. I run scripts that parse the monitored traffic and
> trigger when the
> > guest OS starts talking on the network. (You probably won't want to
> > trigger on reset packets, ICMP errors/replies, and
> responses to simple
> > probes.) After the monitoring script triggers, it shuts
> down Vmware,
> > pages me with the last 2-3 packets, and shuts down the host OS.
> >
> > Yeah, sure, you can do inline filtering, use HIDS, run
> tripwire, etc,
> > etc. The point is that NIDS and honeypots work well
> together. What I
> > mentioned above has been rather successful at detecting new
> worms, and
> > rarely falls prey to hackers playing with the 'latest
> sploits' before a
> > worm is released.
> >
> > /Dan Hawrylkiw, CISSP, GCIA, RHCE
> > Phoenix Area Network Intrusion Research Alliance
> >
> > "to have good ideas, you have to have a lot of ideas"
> > -Linus Pauling
> >
> > -----Original Message-----
> > From: dcneting [mailto:ansiry_at_tm.net.my]
> > Sent: Friday, April 30, 2004 5:20 PM
> > To: focus-virus_at_securityfocus.com; honeypots_at_securityfocus.com
> > Subject: any other tool to detect worm?
> >
> >
> >
> >
> > ________________________________
> >
> > From: dcneting [mailto:ansiry_at_tm.net.my]
> > Sent: Saturday, May 01, 2004 8:18 AM
> > To: 'focus-virus_at_securityfocus.com'
> > Subject: any other tool to detect worm?
> >
> >
> > is there any tools that i can use to just detect worm-like activity
> > besides that using honeyd? if there is, how can i use it to detect
> > worms(known and
> > unknown) preferably open source platform.
> >
> >
> >
> >
> >
> >
>
> ---
> Incoming mail checked for known viruses
> Checked by AVG anti-virus system (http://www.grisoft.com).
> Version: 6.0.680 / Virus Database: 442 - Release Date: 09/05/04
>
>
</code>
The information contained in this e-mail is confidential and may be privileged, it is intended for the addressee only. If you have received this e-mail in error please delete it from your system. The statements and opinions expressed in this message are those of the author and do not necessarily reflect those of the company. Whilst Joplings Group operates an e-mail anti-virus program it does not accept responsibility for any damage whatsoever that is caused by viruses being passed.
joplings.co.uk
Received on Sat May 15 2004 - 22:41:39 PDT
