Mon Jan 12 11:28:41 EST 2004 Anton Chuvakin Current setup(s): ---------------- Victim: RedHat Linux 9 on Intel Control: modified GenII iptables script Network monitoring: snort 2.0.2, tcpdump, Bro 0.8_57, ipaudit, Snort Spade, Dragon NIDS 5.0, shadow/IDAbench, ngrep, argus, ifmonitor Host monitoring: modified bash, Sebek 2 Correlation and analysis: netForensics SIM, ACID, Demark, IDAbench, IPAudit HTML GUI Findings/developments this quarter: ---------------------------------- Honeynet developments: -running RedHat 9 unhacked for months; really surprised about it -event analysis improvements using various consoled and event correlation -deploying more monitoring tools and taking steps to automated their output analysis -deployed honeynet statistics on a public page http://www.chuvakin.org/honeynet/ -new database anomaly detection research using honeynet data; data mining tool deployed on netForensics database to faciliate the new attack discovery -worm remnants studies and results posted http://www.chuvakin.org/honeynet/worms/ Publications: - "Where Worms Go To Die?" http://www.oreillynet.com/pub/wlg/4002 Plans for next quarter: ---------------------- -advancing research into IP anomaly detection and packet-level correlation for automated raw log analysis -deploying a new datamining too for timing analysis of attacks -deploying database anomaly detection for multi-sensort correlation -utilizing argus data to correlate with Bro and Snort alerts -new publications