Poised Solutions Tech Library

Virtual Honeypots

Virtual Honeypots Author: Niels Provos Thorsten Holz Publisher: Addison-Wesley Published: 2007 Pages: 440

Virtual Honeypots

Virtual Honeypots Chapters

Virtual Honeypots Chapters

1. Honeypot and Networking Background
   • Brief TCP/IP Introduction
   • Honeypot Background
     • High Interaction Honeypots
     • Low-Interaction Honeypots
     • Physical Honeypots
     • Virtual Honeypots
     • Legal Aspects
   • Tools of the Trade
     • Tcpdump
     • Wireshark
     • Nmap
2. High Interaction Honeypots
   • Advantages and Disadvantages
   • VMware
     • Different VMware Versions
     • Virtual Network with VMware
     • Setting Up a Virtual High Interaction Honeypot
     • Creating a Virtual Honeypot
     • Adding Additional Monitoring Software
     • Connecting the Virtual Honeypot to the Internet
     • Building a Virutal-Interaction Honeynet
   • User-Mode Linux
     • Overview
     • Installtion and Setup
     • Runtime Flags and Configuration
     • Monitoring UML-Based Honeypots
     • Connecting the Virtual Honeypot to the Internet
     • Building a Virtual High-Interaction Honeynet
   • Argos
     • Overview
     • Installation and Setup for Argos Honeypots
   • Safeguarding Your Honeypots
     • Honeywall
   • Summary
3. Low Interaction Honeypots
   • Advantages and Disadvantages
   • Deception Toolkit
   • LaBrea
     • Installation and Setup
     • Observations
   • Tiny Honeypot
     • Installation
     • Capture Logs
     • Session Logs
     • Netfilter Logs
     • Observations
   • GHH - Google Hack Honeypot
     • General Installation
     • Installing the Transparent Link
     • Access Logging
   • PHP.HoP -A Web-Based Deception Framework
     • Installation
     • HipHop
     • PhpMyAdmin
   • Securing Your Low-Interaction Honeypots
     • Chroot Jail
     • Systrace
   • Summary
4. Honeyd - The Basics
   • Overview
     • Features
     • Installation and Setup
   • Design Overview
     • Interaction Only via the Network
     • Multiple IP Address
     • Deceiving Fingerprinting Tools
   • Receiving Network Data
   • Runtime Flags
   • Configuration
     • create
     • set
     • add
     • bind
     • delete
     • include
   • Experimental with Honeyd
     • Experimental with Honeyd Locally
     • Integrating Virtual Honeypots into Production Networks
   • Services
   • Logging
     • Packet-Level Logging
     • Service-Level Logging
   • Summary
5. Honeyd - Advanced Topics
   • Advanced Configuration
     • set
     • tarpit
     • annotate
   • Emulating Services
     • Scripting Languages
     • SMTP
   • Subsystems
     • Optimizing Subsystems
   • Internal Python Services
   • Dynamic Templates
   • Routing Topology
   • Honeydstats
   • Honeydctl
   • Honeycomb
   • Performance
   • Summary
6. Collecting Malware with Honeypots
   • A Primer on Malicious Software
   • Nepenthes - A Honeypot Solution to Collect Malware
     • Architecture of Nepenthes
     • Limitations
     • Installation and Setup
     • Configuration
     • Command Line Flags
     • Assigning Multiple IP Addresses
     • Flexible Deployment
     • Capturing New Exploits
     • Implementing Vulenrability Modules
     • Results
     • Lessons Learned
   • Honeytrap
     • Overview
     • Installation and Configuration
     • Running Honeytrap
   • Other Honeypot Solutions for Learning About Malware
     • Multipot
     • HoneyBOT
     • Billy Goat
     • Learning About Malicious Network Traffic
   • Summary
7. Hybrid Systems
   • Collapsar
   • Potemkin
   • RolePlayer
   • Research Summary
   • Building Your Own Hybrid Honeypot System
     • NAT and High-Interaction Honeypots
     • Honeyd and High-Interaction Honeypots
   • Summary
8. Client Honeypots
   • Learning More About Client Side Threats
     • A Closer Look at MS04-040
     • Other Types of Client-Side Attacks
     Toward Client Honeypots
   • Low Interaction Client Honeypots
     • Learning About Malicious Websites
     • HoneyC
   • High Interaction Client Honeypots
     • Design of High Interaction Client Honeypots
     • HoneyClient
     • Capture-HPC
     • HoneyMonkey
   • Other Approaches
     • Studying Spyware on the Internet
     • SpyyBye
     • SiteAdvisor
     • Further Research
   • Summary
9. Detecting Honeypots
   • Detecting Low-Interaction Honeypots
   • Detecting High-Interaction Honeypots
     • Detecting and Disabling Sebek
     • Detecting the Honeywall
     • Circumventing Honeynet Logging
     • VMware and Other Virtual Machines
     • QEMU
     • User-Mode Linux
   • Detecting Rootkits
   • Summary
10. Case Studies
    • Blast-o-Mat : Using Nepenthes to Detect Infected Clients
      • Motivation
      • Nepenthes as Part of Intrusion Detection System
      • Mitigation of Infected Systems
      • A Modern Trojan: Haxdoor
      • Lessons Learned with Blast-o-Mat
      • Lightweight IDS Based on Nepenthes
      • SURFnet IDS
    • Search Worms
    • Red Hat 8.0 Compromise
      • Attack Summary
      • Attack Timeline
      • Tools Involved
      • Attack Evaluation
    • Windows 2000 Compromise
      • Attack Summary
      • Attack Timeline
      • Tools Involved
      • Attack Evaluation
    • SUSE 9.1 Compromise
      • Attack Summary
      • Attack Timeline
      • Tools Involved
      • Attack Evaluation
    • Summary
11. Tracking Botnets
    • Bot and Botnet
      • Examples of Bots
      • Spyware in the Form of Bots
      • Botnet Control Structure
      • DDoS Attacks Caused by Botnets
    • Tracking Botnets
      • Observing Botnets
    • Case Studies
      • Mocbot and MS06-040
      • Other Observations
    • Defending Against Bots
    • Summary
12. Analyzing Malware with CWSandbox
    • CWSSanbox Overview
    • Behavior-Based Malware Analysis
      • Code Analysis
      • Behvaior Analysis
      • API Hooking
      • Code Injection
    • CWSSandbox - System Description
      • Architecture
    • Results
      • Example Analysis Report
      • Large-Scale Analysis
    • Summary

Virtual Honeypots Appendices

1. Bibliography
2. Index