In this episode of the Collective Defense Podcast we are jumping into honeypots, honeynets, and how emerging threats can be proactively detected with Peter Rydzynski. On the new front we analyzed a number of stories including the most recent Marriott breach, zoombombs and WarDialz, and of course more insecure Wordpress plugins.
Software Mentioned in this episode:
SELKS
https://www.stamus-networks.com/scirius-open-source (https://www.stamus-networks.com/scirius-open-source)
Both live and installable Network Security Management ISO based on Debian
Complete Suricata IDS/IPS ecosystem with its own graphic rule manager
From start to analysis of IDS/IPS and NSM events in 30 sec
Major components:
Suricata
Elasticsearch
Logstash
Kibana
Moloch
Scirius Community Edition
EveBox
Cowrie
https://github.com/cowrie/cowrie (https://github.com/cowrie/cowrie)
Cowrie is a medium to high interaction SSH and Telnet honeypot designed to log brute force attacks and the shell interaction performed by the attacker. In medium interaction mode (shell) it emulates a UNIX system in Python, in high interaction mode (proxy) it functions as an SSH and telnet proxy to observe attacker behavior to another system.
Cowrie is maintained by Michel Oosterhof.
Dionaea
https://github.com/DinoTools/dionaea (https://github.com/DinoTools/dionaea)
This low-interaction honeypot written in C and Python uses the Libemu library to emulate the execution of Intel x86 instructions and detect shellcodes.
In addition, we can say it’s a multi-protocol honeypot that offers support for protocols such as FTP, HTTP, Memcache, MSSQL, MySQL, SMB, TFTP, etc.
Protocols
blackhole
epmap
ftp
http
memcache
mirror
mqtt
mssql
mysql
pptp
sip
smb
tftp
upnp
Logging
fail2ban
hpfeeds
log_json
log_sqlit
Netcat
http://netcat.sourceforge.net/ (http://netcat.sourceforge.net/)
Netcat is a featured networking utility which reads and writes data across network connections, using the TCP/IP protocol.
It is designed to be a reliable "back-end" tool that can be used directly or easily driven by other programs and scripts. At the same time, it is a feature-rich network debugging and exploration tool, since it can create almost any kind of connection you would need and has several interesting built-in capabilities.
It provides access to the following main features:
Outbound and inbound connections, TCP or UDP, to or from any ports.
Featured tunneling mode which allows also special tunneling such as UDP to TCP, with the possibility of specifying all network parameters (source port/interface, listening port/interface, and the remote host allowed to connect to the tunnel.
Built-in port-scanning capabilities, with randomizer.
Advanced usage options, such as buffered send-mode (one line every N seconds), and hexdump (to stderr or to a specified file) of trasmitted and received data.
Optional RFC854 telnet codes parser and responder.
Modern Honey Network
https://github.com/pwnlandia/mhn (https://github.com/pwnlandia/mhn)
MHN is a centralized server for management and data collection of honeypots. MHN allows you to deploy sensors quickly and to collect data immediately, viewable from a neat web interface. Honeypot deploy scripts include several common honeypot technologies, including Snort, Cowrie, Dionaea, and glastopf, among others.
Features
MHN is a Flask application that exposes an HTTP API that honeypots can use to:
Download a deploy script
Connect and register
Download snort rules
Send intrusion detection logs
It also allows system administrators to:
View a list of new attacks
Manage snort rules: enable, disable, download
