UK Honeynet Project 

After doing a lot of work leading phase one of The Honeynet Project’s Global Distributed Honeynet (GDH) last year, I’m please to announce that internal development has begun on GDH Phase Two today. Initially this will result in new public Honeywall releases (version 1.4 this month integrates a second generation of our Hflow data fusion tool, followed by version 1.5 which will hopefully support attacker source IP to keystroke mapping in all Sebek related tools at last! Hopefully the three month kick start phase will be extended throughout 2008 and we’ll be releasing lots of interesting research data once an expanded global sensor network is operational. GDH Phase Two will include also client honeypots (based on Capture-HPC) and should also see some long overdue improvements to our Honeysnap reporting tool too.

A new release of Capture-HPC has been made available:

“The Honeynet Project (http://www.honeynet.org) and School of Mathematics, Statistics and Computer Science at Victoria University of Wellington (http://www.mcs.vuw.ac.nz/) are excited to announce the release of Capture-HPC v2.1. Capture-HPC is an innovative security product that is able to find and investigate the increasing problem of client-side computer attacks. This new software release increases the features and speeds performance allowing anyone to investigate a larger range and quantity of client-side computer attacks. Capture-HPC is freely available from our web site at: https://projects.honeynet.org/capture-hpc/wiki. It is written and distributed under the GNU General Public License, v2.”

Improvements include better performance, increased data capture and a new client plug-in framework.

The full press release can be found here:

http://www.honeynet.org/press/honeynet-project-press-release-capture-hpc.pdf

The team over at Vrije University in Amsterdam (the location for the upcoming invite-only WOMBAT honeynet data sharing workshop) have released a new version of their Argos honeypot tool:

http://www.few.vu.nl/argos/

This interesting honeypot system uses dynamic taint analysis to track network data and identify unknown malware. So far we’ve only experimented with it, but it looks like a promising project and an ideal companion to Nepenthes based capture of known malware variants.

I was one of the attendees at the fourth ISOI workshop last week, which this time was held in sunny San Jose. Once again, the event had an interesting range of presentations and discussions, mostly focused around what system defenders could do now to make a difference to the continuing tide of cybercrime observed every day. There was also plenty of opportunity to catch up with people in the security community, and put faces to names, so thanks to Gadi and co for the continued invites. I also got a bit of time to hang out with various Honeynet Project people and some of the guys from Shadowserver, and hopefully we’ll see some interesting spin offs in the coming months. Being from the UK, the obligatory Silicon Valley geek tourism was also fun too.

The Honeynet Project have been invited to submit a paper to the upcoming invite-only Worldwide Observatory of Malicious Behaviors and Attack Threats (a href=”http://wombat-project.eu”>WOMBAT) honeynet workshop at Vrije University in Amsterdam on the 21st and 22nd of April. David and Jamie from the UKHP will be organising the Honeynet Project’s submissions, and we hope to have at least one presentation accepted for publication in the journal of the IEEE.

For more details see http://wombat-project.eu/2008/04/wombat-closed-workshop-april-2.html

There’s a new (beta) release of the Honeynet Project’s “Honeywall” CDROM out. This release (1.3b) fixes some bugs but the main change is a move from the no longer supported Fedora Core 6 platform to CentOS 5. This should give us less work keeping the base platform up to date and more time to work on adding cool new features

We’ve also moving to a more open development model for the CDROM. Although it’s always been GPL’d, the development processes has been closed and it’s been hard for outsiders to add features/hack code. I’m pleased to say that that’s now changed, and there’s a new Trac site with a svn tree, wiki and all the usual stuff. The Honeywall public mailing list is also still available.

Cool stuff that will be coming in the future includes a move to hflow2 for better flow decoding and analysis and changes to the build processes to make it easier to use.

Credits: Earl Sammons, Rob McMillen and myself did the CentOS port. Steve Mumford and Dave Watson did all the work in setting up our new infrastructure to enable more open development.

The Honeynet Project has recently completed a major internal restructuring, which sees the end of the Research Alliance and a move to a new Chapter based membership model (for example, we become the Honeynet Project’s UK Chapter). You can find out more about the new organisation, it’s bylaws and further membership information here.

As part of this restructuring process, active Honeynet Project members have elected a new Board of Directors and assigned various operational positions for the next three years. This includes David Watson from the UK group, who becomes a Honeynet Project Director and it’s Chief Research Officer.

With the restructuring process now complete, we are looking forward to getting back to honeynet research and development. A second, larger phase of our Global Distributed Honeynet (GDH) is already planned for 2008, along with more collaboration with other active security research groups.

A new low interaction honeypot called Amun was released last week, by a German researcher called Jan Göbel at the University of Aachen. Amun takes a similar approach to nepenthes and is also designed to collect samples of autonomous spreading malware by emulating vulnerable network services and then downloading malicious payloads for analysis. It is python and XML based, so should be easy to extend, and can be downloaded here. Worth checking out.