Mon Oct 13 09:07:49 EDT 2003
Anton Chuvakin

Current setup(s):
----------------

Victim: RedHat Linux 9 on Intel

Control: modified GenII iptables script

Network monitoring: snort 2.0.2, tcpdump, Bro 0.8_37, ipaudit, Snort Spade,
Dragon NIDS 5.0, shadow/IDAbench, ngrep, argus ( yes - all of those !)

Host monitoring: modified bash, Sebek 2

Correlation and analysis: netForensics SIM, ACID, Demark, IDAbench,
IPAudit HTML GUI

Findings/developments this quarter:
----------------------------------

Honeynet developments:

-reverted to Linux since "softened" FreeBSD was NOT getting hacked for more than 6 months
-event analysis improvements using various consoled and event correlation
-deployed Sebek2
-deploying more monitoring tools and taking steps to automated their output analysis

Publications:

-"What is discovered on honeynets" at Elsevier site
- SANSFire presentation on rootkits captured on the Honeynet

Plans for next quarter:
----------------------

-deploying Linux victim in addition to FBSD or migration to OBSD
-new research into IP anomaly detection and packet-level correlation for automated raw log analysis
-utilizing argus data to correlate with Bro and Snort alerts
-deploy netForensics rule-based correlation engine
-possibly deploying UML-based virtual honeynets
-some publications