Downloaded 12 times
Uploaded byJulia Yu-Chin Cheng
Honeywall roo 2
This document provides instructions for installing and using the Sebek and Honeysnap tools to analyze Windows XP guest operating systems and offline PCAP files from honeypots. It explains how to extract keysroke logs and network traffic using Sebek tools, and generate first-cut analysis reports of events using Honeysnap by parsing PCAP files offline. Specific commands are provided to view different protocol activity captured in PCAP files with these tools.
Honeywall roo 2
- 1. Sebek On Windows (XP SP3) Install and Configure 1
- 2.
- 3.
- 4.
- 5.
- 6.
- 7.
- 8.
- 9.
- 10.
- 11.
- 12.
- 13.
- 14.
- 15.
- 16.
- 17.
- 18. Turn off Windows firewall 18
- 19.
- 20. Sebek Tes?ng 1 using backtrack 20
- 21.
- 22.
- 23.
- 24.
- 25.
- 26.
- 27.
- 28.
- 29.
- 30.
- 31.
- 32.
- 33.
- 34.
- 35.
- 36.
- 37.
- 38.
- 39.
- 40.
- 41. Sebek Tes?ng 2 using backtrack 41
- 42.
- 43.
- 44. Offline PCAP Analysis Using Sebek Tools and Honeysnap 44
- 45. Sebek Tools • Two sets of sample incident data (and your own data from your class honeynets): – 1 from Mexican honeypot (192.168.100.28) example.pcap.gz – 1 from UK honeypot (82.68.40.145) 20040319/*.gz 45
- 46. • gunzip honeynet/20040319.gz ; • ls -‐l honeynet/20040319 • more honeynet/20040319/snort_fast 46
- 47. • sbk_extract –f honeynet/20040319/snort.log. 1079654706 | • sbk_ks_log.pl | more 47
- 48. • sbk_extract -‐f honeynet/20040319/snort.log. 1079654706 | • sbk_ks_log.pl | grep bash | more 48
- 49. Honeysnap • Command-‐line tool for parsing single or mul?ple pcap data files • Outputs a 'first-‐cut' analysis report to iden?fy poten?ally significant events • Typically run off-‐line in batch mode, perhaps as a nightly email report • Just need to provide it with the IP address of the honeypot / node of interest 49
- 50. Honeysnap (Cont.) • Packet and connec?on overview • Simple flow extrac?on (ASCII based) • Common protocol decoding • Binary file transfer extrac?on • Flow summary of in/outbound connec?ons • Keystroke extrac?on of Sebek v2/v3 data • Iden?fica?on and analysis of IRC traffic, • including keyword matching 50
- 51. Using Honeysnap • honeysnap -‐h 51
- 52. • honeysnap -‐H 192.168.100.28 honeynet/example.pcap 52
- 53. • honeysnap -‐H 192.168.100.28 –-‐op?on1 –-‐ op?on 2 honeynet/example.pcap 53
- 54.
- 55.
- 56.
- 57.
- 58. Honeysnap Install in Honeywall • hips://projects.honeynet.org/honeysnap/wiki/WikiStart • Install pypcap: rpm –ivh pcap-‐1.1-‐1.i386.rpm • Install honeysnap : – $ tar xvzf honeysnap-‐1.0.6 – $ cd honeysnap-‐1.0.6 – $ sudo python setup.py install 58
- 59. Honeysnap Instruc?ons: • 解析Honeywall Pcap封包: – honeysnap -‐c honeynet.cfg example.pcap • basic informa?on: – honeysnap -‐H192.168.100.28 example.pcap • 解析特定Protocol並將資料寫到檔案 – honeysnap –H192.168.100.28 -‐-‐do-‐hip -‐f /home/roo/analysis/results.txt example.pcap • 完整解析產生報告 – honeysnap -‐H192.168.100.28 -‐-‐do-‐outgoing -‐-‐do-‐irc -‐-‐do-‐ lp -‐-‐do-‐sebek -‐-‐do-‐hip -‐-‐do-‐outgoing -‐o /home/roo/analysis -‐f /home/roo/analysis/results.txt example.pcap 59
- 60.
- 61.