Presentation is loading. Please wait.

Presentation is loading. Please wait.

Honey Inspector Mike Clark Honeynet Project. Honeynet Inspector  Background.

Published by Modified over 8 years ago

Similar presentations

Presentation on theme: "Honey Inspector Mike Clark Honeynet Project. Honeynet Inspector  Background."— Presentation transcript:

1 Honey Inspector Mike Clark Honeynet Project

2 Honeynet Inspector  Background

3 What is it?  Set of Perl CGI Scripts  Firewall/IDS Logs  MySQL IDS

4 How it Works  Fisq script imports firewall logs  IDS(Snort) logs to the DB  IDS(Snort) also records traffic in pcap format  Inspector drills down using all of these

5 Inspector High Level  Shows connections and drill down options  4 methods of alerting  Packet Count  Connection size (byte)  IDS(Snort) alerts  Inbound/Outbound

6 Drilling Down  Connection View  Arin/whois/dig lookup  Snort alerts  p0f  Plugins

7 Plugins  Honey Extractor  IRC View

8 Advantages  Quick  Easily extendable  High chance of detecting activity  Web based

9 Disadvantages  Not scalable  Not very nice looking

10 Future  Perl module  Nicer interface  Graphing  Customizable Report Engine

11 Questions?

12 Enterprise Security Console Jeff Dell Activeworx, Inc.

13 Speaker  Jeff Dell, Florida Honeynet Project  Florida Honeynet: Responsible Network Forensics  Honeynet Alliance: Central Database

14 Problem  How do we look at different datasets from different data sources and correlate the information?

15 1 st Problem The Data

16 FW Logs

17 Snort Logs

18 TCPDump

19 2 nd Problem Data Sources

20 Different Data Sources DMZ TCPDump DMZ Firewalls Internal IDS DMZ Syslog Internal Syslog External IDS

21 Solution  Centralizing Honeynet Data  Enterprise Security Console to view data

22 Data Centralization Centralized Database IDS Logs Firewall Logs System Logs TCPDump Logs

23 What Next?

24 Enterprise Security Console  Advantages  Easy to View Data  Very flexible and powerful GUI  Strong Data Correlation Capabilities  Built with Honeynets in mind  Disadvantages  Windows 2000/XP Only

25 Enterprise Security Console  Console to view Databases  Fully Database Driven  Supports multiple ESC Databases  Supports multiple Data Databases

26 Types of Data  Firewall Logs  Snort IDS Logs  TCPDump Logs  Syslog  Prelude (Hybrid IDS)  Others…

27 Easy to View Data

28 Data Search Correlation  Correlate between any the following data types:

29 Data Correlation (Cont)  View Firewall Logs  Advantages  Easy  Fast  Have some interesting information  Disadvantages  Limited information

30 Data Correlation (Cont)  View IDS Logs  Advantages  More interesting events  Alert on attacks  Disadvantages  Does not pick up all attacks  Only see a single packet

31 Data Correlation (Cont)  TCPDump Logs  Advantages  All packets  Disadvantages  Lots of data

32 Data Decode  Full Packet Decode

33 IRC Decode  Full IRC PrivMsg Decode

34 Packet Analysis

35 Flexible/Powerful GUI  Actions speak louder then words:

36 Future  Increase functionality  Reporting  Passive Application Fingerprinting  Increase Search Capabilities  Extend Data Correlation Capabilities

37 Summary  Enterprise Security Console open up Security Analysis and makes our jobs easier  Uses existing databases

38 Questions?

39 More information:  Web: http://www.activeworx.com  Email: jdell@activeworx.com

Download ppt "Honey Inspector Mike Clark Honeynet Project. Honeynet Inspector  Background."

Similar presentations

© 2004 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice Installation & management of SUSE.

© 2004 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice Installation & management of SUSE.
Security Administration Tools and Practices Amit Bhan Usable Privacy and Security.

Security Administration Tools and Practices Amit Bhan Usable Privacy and Security.
Snort & ACID. UTSA IS 6973 Computer Forensics SNORT.

Snort & ACID. UTSA IS 6973 Computer Forensics SNORT.
1 Chapter 7 Intrusion Detection. 2 Objectives In this chapter, you will: Understand intrusion detection benefits and problems Learn about network intrusion.

1 Chapter 7 Intrusion Detection. 2 Objectives In this chapter, you will: Understand intrusion detection benefits and problems Learn about network intrusion.
The Most Analytical and Comprehensive Defense Network in a Box.

The Most Analytical and Comprehensive Defense Network in a Box.
Axxon Intellect Lite Product Overview.

Axxon Intellect Lite Product Overview.
MONITORING TOOLS Open Source Security Tools to monitor your network.

MONITORING TOOLS Open Source Security Tools to monitor your network.
Intrusion Detection Systems By: William Pinkerton and Sean Burnside.

Intrusion Detection Systems By: William Pinkerton and Sean Burnside.
Use of Honey-pots to Detect Exploited Systems Across Large Enterprise Networks Ashish Gupta Network Security May 2004

Use of Honey-pots to Detect Exploited Systems Across Large Enterprise Networks Ashish Gupta Network Security May 2004
1.  To analyze and explain the IDS placement in network topology  To explain the relationship between honey pots and IDS  To explain, analyze and evaluate.

1.  To analyze and explain the IDS placement in network topology  To explain the relationship between honey pots and IDS  To explain, analyze and evaluate.
Monitoring a Large-Scale Network: Selecting the Right Tool Sayadur Rahman United International University & Network Manager, Financial Service.

Monitoring a Large-Scale Network: Selecting the Right Tool Sayadur Rahman United International University & Network Manager, Financial Service.
NETWORK SECURITY INTRUSION DETECTION SYSTEMS (IDS) KANDIAH.M Clarkson University, Potsdam, New York.

NETWORK SECURITY INTRUSION DETECTION SYSTEMS (IDS) KANDIAH.M Clarkson University, Potsdam, New York.
Snort - an network intrusion prevention and detection system Student: Yue Jiang Professor: Dr. Bojan Cukic CS665 class presentation.

Snort - an network intrusion prevention and detection system Student: Yue Jiang Professor: Dr. Bojan Cukic CS665 class presentation.
Analysis Console for Intrusion Databases Roy. Description ACID.

Analysis Console for Intrusion Databases Roy. Description ACID.
1 Host Based Intrusion Detection: Analyzing System Logs Bob Winding, Vikram Ahmed University of Notre Dame 12/13/2006.

1 Host Based Intrusion Detection: Analyzing System Logs Bob Winding, Vikram Ahmed University of Notre Dame 12/13/2006.
Use of Honey-pots to Detect Exploited Systems Across Large Enterprise Networks Ashish Gupta Network Security May 2004

Use of Honey-pots to Detect Exploited Systems Across Large Enterprise Networks Ashish Gupta Network Security May 2004
Information Networking Security and Assurance Lab National Chung Cheng University Analysis Console for Intrusion Databases.

Information Networking Security and Assurance Lab National Chung Cheng University Analysis Console for Intrusion Databases.
Govt. Engineering College Bikaner A PROJECT Presentation ON STUDY AND IMPLEMENTATION OF ADVANCE IDS SECURITY.

Govt. Engineering College Bikaner A PROJECT Presentation ON STUDY AND IMPLEMENTATION OF ADVANCE IDS SECURITY.
Honeywall CD-ROM. 2 Developers and Speakers  Dave Dittrich University of Washington  Rob McMillen USMC  Jeff Nathan Sygate  William Salusky AOL.

Honeywall CD-ROM. 2 Developers and Speakers  Dave Dittrich University of Washington  Rob McMillen USMC  Jeff Nathan Sygate  William Salusky AOL.
Bandwidth, System, and Network Monitoring Tools at OEA.

Bandwidth, System, and Network Monitoring Tools at OEA.

Similar presentations

Ads by Google