Fri Jun 27 14:31:38 EDT 2003 Anton Chuvakin Current setup(s): ---------------- Victim: FreeBSD 4.6 on Intel Control: GenII iptables Network monitoring: snort, tcpdump, bro, ipaudit, spade, Dragon NIDS 5.0, shadow, ngrep ( yes - all of those !) Host monitoring: dlhm, modified sh shell, modified bash Correlation and analysis: netForensics SIM, ACID, Demark Findings/developments this quarter: ---------------------------------- Honeynet developments: -sh patch improved to log sh keystrokes on FreeBSD -FreeBSD honeypot maintained -even analysis improvements -increase in data capture tools (e.g. anomaly detection) and correlation Publications: - "Days of the Honeynet: Attacks, Tools, Incidents" http://www.linuxsecurity.com/feature_stories/feature_story-141.html - upcoming "What is discovered on honeynets" at Elsevier site - upcoming SANSFire presentation on capture tools (July 14 SANS @ Night; everybody is welcome!) Plans for next quarter: ---------------------- -further development of *BSD deployment as victim -deploying Linux victim in addition to FBSD or migration to OBSD -develop csh shell logging patch for FreeBSD (and maybe other OSs) -"better attackers" research following the initial document -new research into IP anomaly detection and correlation -deploy netForensics rule-based correlation engine