SlideShare uma empresa Scribd logo

Honeywall roo 2

Julia Yu-Chin Cheng
Julia Yu-Chin Cheng
1 de 61
Baixar para ler offline
Sebek  On  Windows  (XP  SP3)  Install   and  Configure   1
載入WinXP    GuestOS   2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
Turn  off  Windows  firewall 18
19
Sebek  Tes?ng  1    using  backtrack 20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
Sebek  Tes?ng  2    using  backtrack 41
42
請各位學員觀察 Walleye  產生的記錄 43
Offline  PCAP  Analysis  Using   Sebek  Tools  and  Honeysnap 44
Sebek  Tools •  Two  sets  of  sample  incident  data  (and  your   own  data  from  your  class  honeynets):   – 1  from  Mexican  honeypot  (192.168.100.28)   example.pcap.gz   –  1  from  UK  honeypot  (82.68.40.145)   20040319/*.gz 45
•  gunzip  honeynet/20040319.gz  ;     •  ls  -­‐l  honeynet/20040319   •  more  honeynet/20040319/snort_fast 46
•  sbk_extract    –f  honeynet/20040319/snort.log. 1079654706  |   •  sbk_ks_log.pl  |  more 47
•  sbk_extract  -­‐f  honeynet/20040319/snort.log. 1079654706  |   •  sbk_ks_log.pl  |  grep  bash  |  more 48
Honeysnap •  Command-­‐line  tool  for  parsing  single  or   mul?ple  pcap  data  files   •  Outputs  a  'first-­‐cut'  analysis  report  to  iden?fy   poten?ally  significant  events   •  Typically  run  off-­‐line  in  batch  mode,  perhaps   as  a  nightly  email  report   •  Just  need  to  provide  it  with  the  IP  address  of   the  honeypot  /  node  of  interest 49
Honeysnap  (Cont.) •  Packet  and  connec?on  overview   •  Simple  flow  extrac?on  (ASCII  based)   •  Common  protocol  decoding   •  Binary  file  transfer  extrac?on   •  Flow  summary  of  in/outbound  connec?ons   •  Keystroke  extrac?on  of  Sebek  v2/v3  data   •  Iden?fica?on  and  analysis  of  IRC  traffic,   •  including  keyword  matching 50
Using  Honeysnap •  honeysnap  -­‐h 51
•  honeysnap  -­‐H  192.168.100.28  honeynet/example.pcap 52
•  honeysnap  -­‐H  192.168.100.28  –-­‐op?on1  –-­‐ op?on  2          honeynet/example.pcap 53
54
55
56
57 可觀察多種Protocol  連線內容,(p.、h,p、irc  and  DNS
Honeysnap    Install  in  Honeywall •  hips://projects.honeynet.org/honeysnap/wiki/WikiStart   •  Install  pypcap:  rpm  –ivh    pcap-­‐1.1-­‐1.i386.rpm   •  Install  honeysnap  :     – $  tar  xvzf  honeysnap-­‐1.0.6     – $  cd  honeysnap-­‐1.0.6     –   $  sudo  python  setup.py  install 58
Honeysnap  Instruc?ons: •  解析Honeywall    Pcap封包:     –  honeysnap  -­‐c  honeynet.cfg    example.pcap   •  basic  informa?on:   –  honeysnap  -­‐H192.168.100.28  example.pcap     •  解析特定Protocol並將資料寫到檔案   –  honeysnap  –H192.168.100.28  -­‐-­‐do-­‐hip     -­‐f  /home/roo/analysis/results.txt    example.pcap   •  完整解析產生報告   –  honeysnap  -­‐H192.168.100.28  -­‐-­‐do-­‐outgoing  -­‐-­‐do-­‐irc  -­‐-­‐do-­‐ lp     -­‐-­‐do-­‐sebek  -­‐-­‐do-­‐hip  -­‐-­‐do-­‐outgoing  -­‐o  /home/roo/analysis   -­‐f  /home/roo/analysis/results.txt    example.pcap   59
Q  &  A
61

Recomendados

eBPF Workshop
eBPF WorkshopeBPF Workshop
eBPF Workshop
Michael Kehoe
 
Debugging linux issues with eBPF
Debugging linux issues with eBPFDebugging linux issues with eBPF
Debugging linux issues with eBPF
Ivan Babrou
 
Humantalk Angers 14 Mars
Humantalk Angers 14 MarsHumantalk Angers 14 Mars
Humantalk Angers 14 Mars
Rémi Dubois
 
Staring into the eBPF Abyss
Staring into the eBPF AbyssStaring into the eBPF Abyss
Staring into the eBPF Abyss
Sasha Goldshtein
 
Meet cute-between-ebpf-and-tracing
Meet cute-between-ebpf-and-tracingMeet cute-between-ebpf-and-tracing
Meet cute-between-ebpf-and-tracing
Viller Hsiao
 
Abusing Interrupts for Reliable Windows Kernel Exploitation (en)
Abusing Interrupts for Reliable Windows Kernel Exploitation (en)Abusing Interrupts for Reliable Windows Kernel Exploitation (en)
Abusing Interrupts for Reliable Windows Kernel Exploitation (en)
inaz2
 
LF_OVS_17_OVS-DPDK Installation and Gotchas
LF_OVS_17_OVS-DPDK Installation and GotchasLF_OVS_17_OVS-DPDK Installation and Gotchas
LF_OVS_17_OVS-DPDK Installation and Gotchas
LF_OpenvSwitch
 
"Into the Fog The Return of ICEFOG APT" - Chi en (Ashley) Shen
"Into the Fog The Return of ICEFOG APT" - Chi en (Ashley) Shen"Into the Fog The Return of ICEFOG APT" - Chi en (Ashley) Shen
"Into the Fog The Return of ICEFOG APT" - Chi en (Ashley) Shen
PROIDEA
 

Recomendados

eBPF Workshop
eBPF WorkshopeBPF Workshop
eBPF Workshop
Michael Kehoe
 
Debugging linux issues with eBPF
Debugging linux issues with eBPFDebugging linux issues with eBPF
Debugging linux issues with eBPF
Ivan Babrou
 
Humantalk Angers 14 Mars
Humantalk Angers 14 MarsHumantalk Angers 14 Mars
Humantalk Angers 14 Mars
Rémi Dubois
 
Staring into the eBPF Abyss
Staring into the eBPF AbyssStaring into the eBPF Abyss
Staring into the eBPF Abyss
Sasha Goldshtein
 
Meet cute-between-ebpf-and-tracing
Meet cute-between-ebpf-and-tracingMeet cute-between-ebpf-and-tracing
Meet cute-between-ebpf-and-tracing
Viller Hsiao
 
Abusing Interrupts for Reliable Windows Kernel Exploitation (en)
Abusing Interrupts for Reliable Windows Kernel Exploitation (en)Abusing Interrupts for Reliable Windows Kernel Exploitation (en)
Abusing Interrupts for Reliable Windows Kernel Exploitation (en)
inaz2
 
LF_OVS_17_OVS-DPDK Installation and Gotchas
LF_OVS_17_OVS-DPDK Installation and GotchasLF_OVS_17_OVS-DPDK Installation and Gotchas
LF_OVS_17_OVS-DPDK Installation and Gotchas
LF_OpenvSwitch
 
"Into the Fog The Return of ICEFOG APT" - Chi en (Ashley) Shen
"Into the Fog The Return of ICEFOG APT" - Chi en (Ashley) Shen"Into the Fog The Return of ICEFOG APT" - Chi en (Ashley) Shen
"Into the Fog The Return of ICEFOG APT" - Chi en (Ashley) Shen
PROIDEA
 
BackTrack 4 R2 - SFISSA Presentation
BackTrack 4 R2 - SFISSA PresentationBackTrack 4 R2 - SFISSA Presentation
BackTrack 4 R2 - SFISSA Presentation
Jorge Orchilles
 
Cilium - Fast IPv6 Container Networking with BPF and XDP
Cilium - Fast IPv6 Container Networking with BPF and XDPCilium - Fast IPv6 Container Networking with BPF and XDP
Cilium - Fast IPv6 Container Networking with BPF and XDP
Thomas Graf
 
Tomas Hlavacek - IP fragmentation attack on DNS
Tomas Hlavacek - IP fragmentation attack on DNSTomas Hlavacek - IP fragmentation attack on DNS
Tomas Hlavacek - IP fragmentation attack on DNS
DefconRussia
 
Pursue the Attackers – Identify and Investigate Lateral Movement Based on Beh...
Pursue the Attackers – Identify and Investigate Lateral Movement Based on Beh...Pursue the Attackers – Identify and Investigate Lateral Movement Based on Beh...
Pursue the Attackers – Identify and Investigate Lateral Movement Based on Beh...
CODE BLUE
 
#Include os - From bootloader to REST API with the new C++
#Include os - From bootloader to REST API with the new C++#Include os - From bootloader to REST API with the new C++
#Include os - From bootloader to REST API with the new C++
IncludeOS
 
IPv6 for Pentesters
IPv6 for PentestersIPv6 for Pentesters
IPv6 for Pentesters
camsec
 
LISA17 Container Performance Analysis
LISA17 Container Performance AnalysisLISA17 Container Performance Analysis
LISA17 Container Performance Analysis
Brendan Gregg
 
Quic illustrated
Quic illustratedQuic illustrated
Quic illustrated
Alexander Krizhanovsky
 
The Art of Exploiting Unconventional Use-after-free Bugs in Android Kernel by...
The Art of Exploiting Unconventional Use-after-free Bugs in Android Kernel by...The Art of Exploiting Unconventional Use-after-free Bugs in Android Kernel by...
The Art of Exploiting Unconventional Use-after-free Bugs in Android Kernel by...
CODE BLUE
 
BPF: Tracing and more
BPF: Tracing and moreBPF: Tracing and more
BPF: Tracing and more
Brendan Gregg
 
eBPF Basics
eBPF BasicseBPF Basics
eBPF Basics
Michael Kehoe
 
Reverse engineering Swisscom's Centro Grande Modem
Reverse engineering Swisscom's Centro Grande ModemReverse engineering Swisscom's Centro Grande Modem
Reverse engineering Swisscom's Centro Grande Modem
Cyber Security Alliance
 
Performance Analysis Tools for Linux Kernel
Performance Analysis Tools for Linux KernelPerformance Analysis Tools for Linux Kernel
Performance Analysis Tools for Linux Kernel
lcplcp1
 
移植FreeRTOS 之嵌入式軟體研究與開發
移植FreeRTOS 之嵌入式軟體研究與開發移植FreeRTOS 之嵌入式軟體研究與開發
移植FreeRTOS 之嵌入式軟體研究與開發
艾鍗科技
 
Extending Zeek for ICS Defense
Extending Zeek for ICS DefenseExtending Zeek for ICS Defense
Extending Zeek for ICS Defense
James Dickenson
 
Kernel Recipes 2017: Performance Analysis with BPF
Kernel Recipes 2017: Performance Analysis with BPFKernel Recipes 2017: Performance Analysis with BPF
Kernel Recipes 2017: Performance Analysis with BPF
Brendan Gregg
 
Linux 4.x Tracing Tools: Using BPF Superpowers
Linux 4.x Tracing Tools: Using BPF SuperpowersLinux 4.x Tracing Tools: Using BPF Superpowers
Linux 4.x Tracing Tools: Using BPF Superpowers
Brendan Gregg
 
Systems@Scale 2021 BPF Performance Getting Started
Systems@Scale 2021 BPF Performance Getting StartedSystems@Scale 2021 BPF Performance Getting Started
Systems@Scale 2021 BPF Performance Getting Started
Brendan Gregg
 
Understanding eBPF in a Hurry!
Understanding eBPF in a Hurry!Understanding eBPF in a Hurry!
Understanding eBPF in a Hurry!
Ray Jenkins
 
The Practice of Alluxio in Ctrip Bigdata Platform
The Practice of Alluxio in Ctrip Bigdata PlatformThe Practice of Alluxio in Ctrip Bigdata Platform
The Practice of Alluxio in Ctrip Bigdata Platform
Alluxio, Inc.
 
The real and another
The real and anotherThe real and another
The real and another
Ishika Biswas
 
Staged Patching Approach in Oracle E-Business Suite
Staged Patching Approach in Oracle E-Business SuiteStaged Patching Approach in Oracle E-Business Suite
Staged Patching Approach in Oracle E-Business Suite
vasuballa
 

Mais conteúdo relacionado

Mais procurados

Tomas Hlavacek - IP fragmentation attack on DNS
Tomas Hlavacek - IP fragmentation attack on DNSTomas Hlavacek - IP fragmentation attack on DNS
Tomas Hlavacek - IP fragmentation attack on DNS
DefconRussia
 
Pursue the Attackers – Identify and Investigate Lateral Movement Based on Beh...
Pursue the Attackers – Identify and Investigate Lateral Movement Based on Beh...Pursue the Attackers – Identify and Investigate Lateral Movement Based on Beh...
Pursue the Attackers – Identify and Investigate Lateral Movement Based on Beh...
CODE BLUE
 
LISA17 Container Performance Analysis
LISA17 Container Performance AnalysisLISA17 Container Performance Analysis
LISA17 Container Performance Analysis
Brendan Gregg
 
The Art of Exploiting Unconventional Use-after-free Bugs in Android Kernel by...
The Art of Exploiting Unconventional Use-after-free Bugs in Android Kernel by...The Art of Exploiting Unconventional Use-after-free Bugs in Android Kernel by...
The Art of Exploiting Unconventional Use-after-free Bugs in Android Kernel by...
CODE BLUE
 
BPF: Tracing and more
BPF: Tracing and moreBPF: Tracing and more
BPF: Tracing and more
Brendan Gregg
 
Kernel Recipes 2017: Performance Analysis with BPF
Kernel Recipes 2017: Performance Analysis with BPFKernel Recipes 2017: Performance Analysis with BPF
Kernel Recipes 2017: Performance Analysis with BPF
Brendan Gregg
 
Linux 4.x Tracing Tools: Using BPF Superpowers
Linux 4.x Tracing Tools: Using BPF SuperpowersLinux 4.x Tracing Tools: Using BPF Superpowers
Linux 4.x Tracing Tools: Using BPF Superpowers
Brendan Gregg
 
The Practice of Alluxio in Ctrip Bigdata Platform
The Practice of Alluxio in Ctrip Bigdata PlatformThe Practice of Alluxio in Ctrip Bigdata Platform
The Practice of Alluxio in Ctrip Bigdata Platform
Alluxio, Inc.
 

Mais procurados (20)

BackTrack 4 R2 - SFISSA Presentation
BackTrack 4 R2 - SFISSA PresentationBackTrack 4 R2 - SFISSA Presentation
BackTrack 4 R2 - SFISSA Presentation
 
Cilium - Fast IPv6 Container Networking with BPF and XDP
Cilium - Fast IPv6 Container Networking with BPF and XDPCilium - Fast IPv6 Container Networking with BPF and XDP
Cilium - Fast IPv6 Container Networking with BPF and XDP
 
Tomas Hlavacek - IP fragmentation attack on DNS
Tomas Hlavacek - IP fragmentation attack on DNSTomas Hlavacek - IP fragmentation attack on DNS
Tomas Hlavacek - IP fragmentation attack on DNS
 
Pursue the Attackers – Identify and Investigate Lateral Movement Based on Beh...
Pursue the Attackers – Identify and Investigate Lateral Movement Based on Beh...Pursue the Attackers – Identify and Investigate Lateral Movement Based on Beh...
Pursue the Attackers – Identify and Investigate Lateral Movement Based on Beh...
 
#Include os - From bootloader to REST API with the new C++
#Include os - From bootloader to REST API with the new C++#Include os - From bootloader to REST API with the new C++
#Include os - From bootloader to REST API with the new C++
 
IPv6 for Pentesters
IPv6 for PentestersIPv6 for Pentesters
IPv6 for Pentesters
 
LISA17 Container Performance Analysis
LISA17 Container Performance AnalysisLISA17 Container Performance Analysis
LISA17 Container Performance Analysis
 
Quic illustrated
Quic illustratedQuic illustrated
Quic illustrated
 
The Art of Exploiting Unconventional Use-after-free Bugs in Android Kernel by...
The Art of Exploiting Unconventional Use-after-free Bugs in Android Kernel by...The Art of Exploiting Unconventional Use-after-free Bugs in Android Kernel by...
The Art of Exploiting Unconventional Use-after-free Bugs in Android Kernel by...
 
BPF: Tracing and more
BPF: Tracing and moreBPF: Tracing and more
BPF: Tracing and more
 
eBPF Basics
eBPF BasicseBPF Basics
eBPF Basics
 
Reverse engineering Swisscom's Centro Grande Modem
Reverse engineering Swisscom's Centro Grande ModemReverse engineering Swisscom's Centro Grande Modem
Reverse engineering Swisscom's Centro Grande Modem
 
Performance Analysis Tools for Linux Kernel
Performance Analysis Tools for Linux KernelPerformance Analysis Tools for Linux Kernel
Performance Analysis Tools for Linux Kernel
 
移植FreeRTOS 之嵌入式軟體研究與開發
移植FreeRTOS 之嵌入式軟體研究與開發移植FreeRTOS 之嵌入式軟體研究與開發
移植FreeRTOS 之嵌入式軟體研究與開發
 
Extending Zeek for ICS Defense
Extending Zeek for ICS DefenseExtending Zeek for ICS Defense
Extending Zeek for ICS Defense
 
Kernel Recipes 2017: Performance Analysis with BPF
Kernel Recipes 2017: Performance Analysis with BPFKernel Recipes 2017: Performance Analysis with BPF
Kernel Recipes 2017: Performance Analysis with BPF
 
Linux 4.x Tracing Tools: Using BPF Superpowers
Linux 4.x Tracing Tools: Using BPF SuperpowersLinux 4.x Tracing Tools: Using BPF Superpowers
Linux 4.x Tracing Tools: Using BPF Superpowers
 
Systems@Scale 2021 BPF Performance Getting Started
Systems@Scale 2021 BPF Performance Getting StartedSystems@Scale 2021 BPF Performance Getting Started
Systems@Scale 2021 BPF Performance Getting Started
 
Understanding eBPF in a Hurry!
Understanding eBPF in a Hurry!Understanding eBPF in a Hurry!
Understanding eBPF in a Hurry!
 
The Practice of Alluxio in Ctrip Bigdata Platform
The Practice of Alluxio in Ctrip Bigdata PlatformThe Practice of Alluxio in Ctrip Bigdata Platform
The Practice of Alluxio in Ctrip Bigdata Platform
 

Destaque

Comparative Study of Mod Security (Autosaved)
Comparative Study of Mod Security (Autosaved)Comparative Study of Mod Security (Autosaved)
Comparative Study of Mod Security (Autosaved)
Dashti Abdullah
 
Building Client-Side Attacks with HTML5 Features
Building Client-Side Attacks with HTML5 FeaturesBuilding Client-Side Attacks with HTML5 Features
Building Client-Side Attacks with HTML5 Features
Conviso Application Security
 
3 Enablers of Successful Cyber Attacks and How to Thwart Them
3 Enablers of Successful Cyber Attacks and How to Thwart Them3 Enablers of Successful Cyber Attacks and How to Thwart Them
3 Enablers of Successful Cyber Attacks and How to Thwart Them
IBM Security
 
How to Audit Firewall, what are the standard Practices for Firewall Audit
How to Audit Firewall, what are the standard Practices for Firewall AuditHow to Audit Firewall, what are the standard Practices for Firewall Audit
How to Audit Firewall, what are the standard Practices for Firewall Audit
keyuradmin
 

Destaque (20)

The real and another
The real and anotherThe real and another
The real and another
 
Staged Patching Approach in Oracle E-Business Suite
Staged Patching Approach in Oracle E-Business SuiteStaged Patching Approach in Oracle E-Business Suite
Staged Patching Approach in Oracle E-Business Suite
 
Cyber Security Visualization
Cyber Security VisualizationCyber Security Visualization
Cyber Security Visualization
 
Clientside attack using HoneyClient Technology
Clientside attack using HoneyClient TechnologyClientside attack using HoneyClient Technology
Clientside attack using HoneyClient Technology
 
The Beginning Of World War Ii
The Beginning Of World War IiThe Beginning Of World War Ii
The Beginning Of World War Ii
 
Comparative Study of Mod Security (Autosaved)
Comparative Study of Mod Security (Autosaved)Comparative Study of Mod Security (Autosaved)
Comparative Study of Mod Security (Autosaved)
 
Ldap injection
Ldap injectionLdap injection
Ldap injection
 
Building Client-Side Attacks with HTML5 Features
Building Client-Side Attacks with HTML5 FeaturesBuilding Client-Side Attacks with HTML5 Features
Building Client-Side Attacks with HTML5 Features
 
Let Your Mach-O Fly, Black Hat DC 2009
Let Your Mach-O Fly, Black Hat DC 2009Let Your Mach-O Fly, Black Hat DC 2009
Let Your Mach-O Fly, Black Hat DC 2009
 
Detecting Evasive Malware in Sandbox
Detecting Evasive Malware in SandboxDetecting Evasive Malware in Sandbox
Detecting Evasive Malware in Sandbox
 
3 Enablers of Successful Cyber Attacks and How to Thwart Them
3 Enablers of Successful Cyber Attacks and How to Thwart Them3 Enablers of Successful Cyber Attacks and How to Thwart Them
3 Enablers of Successful Cyber Attacks and How to Thwart Them
 
How to Audit Firewall, what are the standard Practices for Firewall Audit
How to Audit Firewall, what are the standard Practices for Firewall AuditHow to Audit Firewall, what are the standard Practices for Firewall Audit
How to Audit Firewall, what are the standard Practices for Firewall Audit
 
Client Side Honeypots
Client Side HoneypotsClient Side Honeypots
Client Side Honeypots
 
Veil Evasion and Client Side Attacks
Veil Evasion and Client Side AttacksVeil Evasion and Client Side Attacks
Veil Evasion and Client Side Attacks
 
Next Generation Advanced Malware Detection and Defense
Next Generation Advanced Malware Detection and DefenseNext Generation Advanced Malware Detection and Defense
Next Generation Advanced Malware Detection and Defense
 
Firewall Penetration Testing
Firewall Penetration TestingFirewall Penetration Testing
Firewall Penetration Testing
 
Honeycon2016-honeypot updates for public
Honeycon2016-honeypot updates for publicHoneycon2016-honeypot updates for public
Honeycon2016-honeypot updates for public
 
The Veil-Framework
The Veil-FrameworkThe Veil-Framework
The Veil-Framework
 
AV Evasion with the Veil Framework
AV Evasion with the Veil FrameworkAV Evasion with the Veil Framework
AV Evasion with the Veil Framework
 
The Supporting Role of Antivirus Evasion while Persisting
The Supporting Role of Antivirus Evasion while PersistingThe Supporting Role of Antivirus Evasion while Persisting
The Supporting Role of Antivirus Evasion while Persisting
 

Semelhante a Honeywall roo 2

Dataplane programming with eBPF: architecture and tools
Dataplane programming with eBPF: architecture and toolsDataplane programming with eBPF: architecture and tools
Dataplane programming with eBPF: architecture and tools
Stefano Salsano
 
Stacks and Layers: Integrating P4, C, OVS and OpenStack
Stacks and Layers: Integrating P4, C, OVS and OpenStackStacks and Layers: Integrating P4, C, OVS and OpenStack
Stacks and Layers: Integrating P4, C, OVS and OpenStack
Open-NFP
 
Scaling ingest pipelines with high performance computing principles - Rajiv K...
Scaling ingest pipelines with high performance computing principles - Rajiv K...Scaling ingest pipelines with high performance computing principles - Rajiv K...
Scaling ingest pipelines with high performance computing principles - Rajiv K...
SignalFx
 
IPv6 Fundamentals & Securities
IPv6 Fundamentals & SecuritiesIPv6 Fundamentals & Securities
IPv6 Fundamentals & Securities
Don Anto
 

Semelhante a Honeywall roo 2 (20)

Compiling P4 to XDP, IOVISOR Summit 2017
Compiling P4 to XDP, IOVISOR Summit 2017Compiling P4 to XDP, IOVISOR Summit 2017
Compiling P4 to XDP, IOVISOR Summit 2017
 
Modern Linux Tracing Landscape
Modern Linux Tracing LandscapeModern Linux Tracing Landscape
Modern Linux Tracing Landscape
 
Dataplane programming with eBPF: architecture and tools
Dataplane programming with eBPF: architecture and toolsDataplane programming with eBPF: architecture and tools
Dataplane programming with eBPF: architecture and tools
 
Linux Performance Analysis: New Tools and Old Secrets
Linux Performance Analysis: New Tools and Old SecretsLinux Performance Analysis: New Tools and Old Secrets
Linux Performance Analysis: New Tools and Old Secrets
 
USE_OF_PACKET_CAPTURE.pptx
USE_OF_PACKET_CAPTURE.pptxUSE_OF_PACKET_CAPTURE.pptx
USE_OF_PACKET_CAPTURE.pptx
 
2014-07-31 customer convergence applied scap
2014-07-31 customer convergence applied scap2014-07-31 customer convergence applied scap
2014-07-31 customer convergence applied scap
 
Rolling upgrade OpenStack
Rolling upgrade OpenStackRolling upgrade OpenStack
Rolling upgrade OpenStack
 
Install FD.IO VPP On Intel(r) Architecture & Test with Trex*
Install FD.IO VPP On Intel(r) Architecture & Test with Trex*Install FD.IO VPP On Intel(r) Architecture & Test with Trex*
Install FD.IO VPP On Intel(r) Architecture & Test with Trex*
 
NetDevOps Developer Environments with Vagrant @ SCALE16x
NetDevOps Developer Environments with Vagrant @ SCALE16xNetDevOps Developer Environments with Vagrant @ SCALE16x
NetDevOps Developer Environments with Vagrant @ SCALE16x
 
Stacks and Layers: Integrating P4, C, OVS and OpenStack
Stacks and Layers: Integrating P4, C, OVS and OpenStackStacks and Layers: Integrating P4, C, OVS and OpenStack
Stacks and Layers: Integrating P4, C, OVS and OpenStack
 
Package Management via Spack on SJTU π Supercomputer
Package Management via Spack on SJTU π SupercomputerPackage Management via Spack on SJTU π Supercomputer
Package Management via Spack on SJTU π Supercomputer
 
2014 04-17 Applied SCAP, Red Hat Summit 2014
2014 04-17 Applied SCAP, Red Hat Summit 20142014 04-17 Applied SCAP, Red Hat Summit 2014
2014 04-17 Applied SCAP, Red Hat Summit 2014
 
Scaling ingest pipelines with high performance computing principles - Rajiv K...
Scaling ingest pipelines with high performance computing principles - Rajiv K...Scaling ingest pipelines with high performance computing principles - Rajiv K...
Scaling ingest pipelines with high performance computing principles - Rajiv K...
 
Threat hunting on the wire
Threat hunting on the wireThreat hunting on the wire
Threat hunting on the wire
 
Honeypots - November 8th Misec presentation
Honeypots - November 8th Misec presentationHoneypots - November 8th Misec presentation
Honeypots - November 8th Misec presentation
 
IPv6 Fundamentals & Securities
IPv6 Fundamentals & SecuritiesIPv6 Fundamentals & Securities
IPv6 Fundamentals & Securities
 
Linux Perf Tools
Linux Perf ToolsLinux Perf Tools
Linux Perf Tools
 
Practical virtual network functions with Snabb (SDN Barcelona VI)
Practical virtual network functions with Snabb (SDN Barcelona VI)Practical virtual network functions with Snabb (SDN Barcelona VI)
Practical virtual network functions with Snabb (SDN Barcelona VI)
 
OSMC 2023 | Replacing NSClient++ for Windows Monitoring by Sven Nielein
OSMC 2023 | Replacing NSClient++ for Windows Monitoring by Sven NieleinOSMC 2023 | Replacing NSClient++ for Windows Monitoring by Sven Nielein
OSMC 2023 | Replacing NSClient++ for Windows Monitoring by Sven Nielein
 
SNClient+ - General purpose monitoring agent
SNClient+ - General purpose monitoring agentSNClient+ - General purpose monitoring agent
SNClient+ - General purpose monitoring agent
 

Mais de Julia Yu-Chin Cheng

Mais de Julia Yu-Chin Cheng (9)

2022年_程式教育迎向未來新視野v2.pptx
2022年_程式教育迎向未來新視野v2.pptx2022年_程式教育迎向未來新視野v2.pptx
2022年_程式教育迎向未來新視野v2.pptx
 
Honeywall roo 1
Honeywall roo 1Honeywall roo 1
Honeywall roo 1
 
Evolving Threat Landscapes Web-Based Botnet Through Exploit Kits and Scripts ...
Evolving Threat Landscapes Web-Based Botnet Through Exploit Kits and Scripts ...Evolving Threat Landscapes Web-Based Botnet Through Exploit Kits and Scripts ...
Evolving Threat Landscapes Web-Based Botnet Through Exploit Kits and Scripts ...
 
20100826-證交所-誘捕系統與殭屍網路(Botnet and honeypot)
20100826-證交所-誘捕系統與殭屍網路(Botnet and honeypot)20100826-證交所-誘捕系統與殭屍網路(Botnet and honeypot)
20100826-證交所-誘捕系統與殭屍網路(Botnet and honeypot)
 
The Honeynet Project Introduction
The Honeynet Project IntroductionThe Honeynet Project Introduction
The Honeynet Project Introduction
 
Malware Analysis - Example
Malware Analysis - ExampleMalware Analysis - Example
Malware Analysis - Example
 
網路攻擊與封包分析- Wireshark
網路攻擊與封包分析- Wireshark網路攻擊與封包分析- Wireshark
網路攻擊與封包分析- Wireshark
 
Malware Analysis - Basic and Concept
Malware Analysis - Basic and ConceptMalware Analysis - Basic and Concept
Malware Analysis - Basic and Concept
 
Shellcode Analysis - Basic and Concept
Shellcode Analysis - Basic and ConceptShellcode Analysis - Basic and Concept
Shellcode Analysis - Basic and Concept
 

Honeywall roo 2

  • 1. Sebek  On  Windows  (XP  SP3)  Install   and  Configure   1
  • 3. 3
  • 4. 4
  • 5. 5
  • 6. 6
  • 7. 7
  • 8. 8
  • 9. 9
  • 10. 10
  • 11. 11
  • 12. 12
  • 13. 13
  • 14. 14
  • 15. 15
  • 16. 16
  • 17. 17
  • 18. Turn  off  Windows  firewall 18
  • 19. 19
  • 20. Sebek  Tes?ng  1    using  backtrack 20
  • 21. 21
  • 22. 22
  • 23. 23
  • 24. 24
  • 25. 25
  • 26. 26
  • 27. 27
  • 28. 28
  • 29. 29
  • 30. 30
  • 31. 31
  • 32. 32
  • 33. 33
  • 34. 34
  • 35. 35
  • 36. 36
  • 37. 37
  • 38. 38
  • 39. 39
  • 40. 40
  • 41. Sebek  Tes?ng  2    using  backtrack 41
  • 42. 42
  • 44. Offline  PCAP  Analysis  Using   Sebek  Tools  and  Honeysnap 44
  • 45. Sebek  Tools •  Two  sets  of  sample  incident  data  (and  your   own  data  from  your  class  honeynets):   – 1  from  Mexican  honeypot  (192.168.100.28)   example.pcap.gz   –  1  from  UK  honeypot  (82.68.40.145)   20040319/*.gz 45
  • 46. •  gunzip  honeynet/20040319.gz  ;     •  ls  -­‐l  honeynet/20040319   •  more  honeynet/20040319/snort_fast 46
  • 47. •  sbk_extract    –f  honeynet/20040319/snort.log. 1079654706  |   •  sbk_ks_log.pl  |  more 47
  • 48. •  sbk_extract  -­‐f  honeynet/20040319/snort.log. 1079654706  |   •  sbk_ks_log.pl  |  grep  bash  |  more 48
  • 49. Honeysnap •  Command-­‐line  tool  for  parsing  single  or   mul?ple  pcap  data  files   •  Outputs  a  'first-­‐cut'  analysis  report  to  iden?fy   poten?ally  significant  events   •  Typically  run  off-­‐line  in  batch  mode,  perhaps   as  a  nightly  email  report   •  Just  need  to  provide  it  with  the  IP  address  of   the  honeypot  /  node  of  interest 49
  • 50. Honeysnap  (Cont.) •  Packet  and  connec?on  overview   •  Simple  flow  extrac?on  (ASCII  based)   •  Common  protocol  decoding   •  Binary  file  transfer  extrac?on   •  Flow  summary  of  in/outbound  connec?ons   •  Keystroke  extrac?on  of  Sebek  v2/v3  data   •  Iden?fica?on  and  analysis  of  IRC  traffic,   •  including  keyword  matching 50
  • 52. •  honeysnap  -­‐H  192.168.100.28  honeynet/example.pcap 52
  • 53. •  honeysnap  -­‐H  192.168.100.28  –-­‐op?on1  –-­‐ op?on  2          honeynet/example.pcap 53
  • 54. 54
  • 55. 55
  • 56. 56
  • 58. Honeysnap    Install  in  Honeywall •  hips://projects.honeynet.org/honeysnap/wiki/WikiStart   •  Install  pypcap:  rpm  –ivh    pcap-­‐1.1-­‐1.i386.rpm   •  Install  honeysnap  :     – $  tar  xvzf  honeysnap-­‐1.0.6     – $  cd  honeysnap-­‐1.0.6     –   $  sudo  python  setup.py  install 58
  • 59. Honeysnap  Instruc?ons: •  解析Honeywall    Pcap封包:     –  honeysnap  -­‐c  honeynet.cfg    example.pcap   •  basic  informa?on:   –  honeysnap  -­‐H192.168.100.28  example.pcap     •  解析特定Protocol並將資料寫到檔案   –  honeysnap  –H192.168.100.28  -­‐-­‐do-­‐hip     -­‐f  /home/roo/analysis/results.txt    example.pcap   •  完整解析產生報告   –  honeysnap  -­‐H192.168.100.28  -­‐-­‐do-­‐outgoing  -­‐-­‐do-­‐irc  -­‐-­‐do-­‐ lp     -­‐-­‐do-­‐sebek  -­‐-­‐do-­‐hip  -­‐-­‐do-­‐outgoing  -­‐o  /home/roo/analysis   -­‐f  /home/roo/analysis/results.txt    example.pcap   59
  • 61. 61