SlideShare a Scribd company logo

Icmis

Sandeep Saxena, profile picture
Sandeep Saxena

1) The document proposes enhancing IDS systems with honeypot placement to detect zero-day attacks. A new network architecture is designed where honeypots attract attackers and log their activities to generate IDS signatures. 2) Experimental setup involves deploying a honeypot server using Honeyd and Arpd to monitor unused IP space and direct attacks. Tcpdump is used to analyze traffic and payloads directed at the honeypot. 3) Analysis of honeypot logs is used to write custom IDS rules matching observed payloads. This allows detection of new attacks before they can harm the internal network.

1 of 4
Download to read offline
1
2
3
4
Enhancing the efficiency of IDS system with Honey pot placement in Network Architecture Vijay K. Chaurasiya1, Ashish Srivastava2 Shuchi Chandra3Shashank Srivastava4, Sandeep Saxena5, Manish Rai6, IIIT-Allahabad, India The Intrusion Detection System specially involves two types of techniques: Anomaly Detection involving the Abstract -- Increasing technology space has pressurized the detection based on behavior/heuristic rules and Misuse orgainsational enviroment to safegraurd its network from Detection involving the detection based on patterns and outside as well as inside attack. Any malicious intrusion can signatures. Anomaly detection lags behind as it requires dragdown a highly reputed organisation to the floors of too much time to detect the behavior and Misuse defamation and even insolvency. Henceforth network Detection lags behind for detection of new attack security is one of the biggest challenge for organisation. Although traditional concepts of firewall and intrusion signature. So Honeypot is used as a tool to support the detction system is prevailing yet there is a need to secure the technique of Misuse Detection so that new attacks can be enviroment from the so called zero day attacks. Attackers detected before they can harm internal network and the every now and then generate exploits to penetrate the secure signature can be framed in the IDS to defend the network network enviroment and the existing known signatures are from internal and external threat of such attack in future. not able to detect such an attack. This paper brings forth the concept of deployment of honeypot so as to make the IDS Honeypots are Bait Servers which are not the part of any system more effective and efficient for the zero day attack production server in the organization and are just placed leading to least penetration to the network enviroment. This isolated so as to attract the attackers to plug and play with paper lays down a new network architecture so that the IDS it and at its end it logs all the actions of the attacker so system can be updated with the latest attack scenarios. The that it can be analyzed further to generate signatures for aforesaid objective is achived with the help of establishment of honeypot. Later tcpdump is used for he further analysis of IDS. Attackers before making an attack performs a ping payload so as to generate alert signautre in IDS(Snort v2.0). sweep and if the honeypot is pinged. As the request reaches the honeypot server it records all the activities, even the keystrokes typed by the attackers so every command entered by the attacker becomes a part of log to I. INTRODUCTION the honeypot server. It also stores all tools used by the intruders in records as a forensic machine. The high use of internet in today’s IT world has purged in The given paper describes how the data returned from the the concept of security deployment in the organization so honeypot server is used to write custom IDS rules. Thus as to make it almost immune to various upcoming attack new network architecture is designed to collect the scenarios. One of the critical areas is the protection of response to write custom IDS rules by seeing the data internal network from new attacks. Although the most payload and writing the rules matching the payload. desirable is the deployment of intrusion and prevention system in the network architecture but this system is still II. RELATED WORK vulnerable to zero day attacks. The IDS generally includes signatures for known attacks and generates the alerts for the same but if any new attack penetrates the One of the drawback stumble upon with network intrusion system then it lacks behind. To deal with this problem the detection systems is that the logging of failed connection concept of honeypot can be used along with any packet attempts just occurs when services are not listening on a analyzing tool so as to generate signatures for zero-day scanned port. When a RST signal terminates a TCP attacks in IDS. connection attempt, the system never logs the data packet that the remote machine was trying to send into the network. A honeypot as a one of the greatest security tool
suggests a mechanism by completing the connection attempt and providing an attacker a false illusion of accessing the critical servers and then recording the interactions between the honeypot and the remote machine. Honeypot placement is one of the greatest issues to be taken care of to optimize the efficiency of the implemented Intrusion Detection System. Various network architectures are presented till now to achieve the aforesaid motive but the basic idea behind this as we suppose is detection of hackers scripts and actions to penetrate into the system and henceforth the proposed architecture is presented which will help the organizational security to build up patches for the existing loophole and make their system robust and stringent to attack scenarios. III. PROPOSED DESIGN AND IMPLEMENTATION Fig 1.1 Deployment of IDS & honeypot in the LAN Architecture In this configuration, main network is a “TCP/IP based In this section we outline the requirements of the network” which contains clients and servers. Snort 2.0 is proposed infrastructure which is considered as a solution used as IDS and is capable to be configured with server. to decrease the malicious inflow of packets in the Honeyd is a honeypot system that is configured as a organizational environment and enhance the efficiency of separate server and is connected to the main server. We IDS system deployed. assume a”switched network” in our approach, with a configurable switch which is connected to the main server The real honeypot server is used to safeguard the main and the respective clients. As the LAN architecture is server from if the hacker is able to compromise the developed in within a primary network henceforth the honeypot server. Although it is hard to implement the real server is supported with two Ethernet cards eth0 and eth1. honeypot but it is desirable for large organizations as such Eth0 directs the internet connection to the main sever and servers do not hamper the production process in the eth1 manages the intranet traffic within the private LAN organization and only IT staff is able to access the 192.168.0.1. required logs. Neither the attacker nor the organizational The attacker first performs a ping sweep attack to detect staff knows where honeypot is placed. the available servers in the network and the honeypot server entices him to perform attacks to penetrate the The given network architecture is used to develop an network. Once the requests are directed to the honeypot understanding as to why and how honeypots are used to server the incoming connection is established with the enhance the work of IDS system. attacking system. As the attacker gets a feel of entering into the server it performs all his efforts to penetrate into different servers. Honeypot gives him the illusion of different servers and constantly interacts with him to record his activities and send the specific response to the syslog server for future analysis and investigation.
IV. EXPERIMENTAL SETUP %01/..%01/..%01/..%01/..%01/..%01/..%0 1/..%01/..%01/..%01/. To implement honeypot an additional tool Arpd is .%01/..%01/..%01/..%01/..%01/..%01/..% embedded in it. Honeypot cannot do everything alone and 01/..%01/..%01/..%01/ ..%01/..%01/..%01/..%01/..%01/..%01/.. requires the help of Arpd. Arpd is used for ARP spoofing; %01/..%01/..%01/..%01 this is what actually monitors the unused IP space and /..%01/..%01/..%01/..%01/..%01/..%01/. directs the attacks to the honeypot. Honeyd is only able to .%01/..%01/..%01/..%0 interact with attackers. For example if the aim is to 1/..%01/..%01/..%01/..%01/..%01//etc/s monitor all the unused IPs in the 192.168.1.0/24 network, hadow HTTP/1.1 the required commands to start both Arpd and Honeyd are Host: 202.174.22.145:10000 as follows: It is visible that the attacking port is 10000 thus port 10000 is of interest. The various ip addresses from where arpd 192.168.0.1/24 such request came can be filtered using tcpdump analysis. honeyd -p nmap.prints -f honeyd.conf 192.168.0.1/24 Based on the commands, the Arpd process monitors the B. Results and Discussion unused IPs, directs all corresponding attacks to the honeyd and spoofs the victim’s IP address with the MAC Once the analysis is done now it is the time to write the address of the honeypot. For the honeyd command –p snort rule. By the analysis of the payload it is visible that nmap.prints refers to the nmap fingerprint database and -f the string started with “GET/unauthenticated/” honeyd.conf is the honeyd configuration file. thus following snort rule can be set: Once the installation is honeypot server is completed the alert tcp $EXTERNAL_NET any -> traffic directed to honeypot server is dumped o other $192.168.0.1 10000 (content:"GET /unauthenticated/"; system using packet analyzing tool tcpdump with the help msg:"Get unauthenticated";) of following command: tcpdump -nn -x -s 1500 host 192.168.0.145 -w store.cap Now any attack coming from the specified port will The tcpdump command will dump all the malicious generate the alert to the administrator of penetration for packets directed to the honeypot and hence will help in unauthorized access in the network environment by the writing the snort rule set by analyzing the payload. attacker. If the set rule has to be further customized then the A. Writing of Snort Rules: following payload can be added: alert tcp any any -> any 10000 Penetrating in the network to gain access by getting the (content:"GET /unauthenticated/..%01/..%01/"; msg:"Get etc/passwd file in the Linux environment or the password unauthenticated";) shadow file i.e. etc/shadow which contains the username The point of concern here is that adding too much of and password of all users. No such rule is defined in the payload may result in false negatives which will overall latest snort rule set. Suppose you get the following log lower down the implementation of snort in organizational generated in honeypot: network. # cat 44F75D6380122.shell :::::::::::::: V. CONCLUSION GET/unauthenticated/..%01/..%01/..%01/ ..%01/..%01/..%01/..% The Intrusion detection system can only give the optimum 01/..%01/..%01/..%01/..%01/..%01/..%01 /..%01/..%01/..%01/.. benefit if it is also able to detect those attacks for which
signatures are not defined in its database. The area of work will be to give attention to this Snort limitation and thus increasing the scalability and responsiveness of the system towards the various types of attacks so as to achieve the motto of building a smart agile and secure system to face the new challenges of technological arena. Though honeypot deployment is a cost-effective solution for the security of large organization but in future refinement is required to elimination false alarm generations. REFERENCES 1. Vidar Ajaxon Grønland: Building IDS signatures by means of a honeypot Norwegian Information system Laboratory. 2. Chi-Hung Chi , Ming Li Dongxi Liu : A method to obtain Signatures From Honeypots Data, School of Computing National University of Singapore 3. Babak Khosravifar, Jamal Bentahar: An Experience Improving Intrusion Detection Systems False Alarm Ratio by Using Honeypot. Department of Electrical and Computer Engineering, Concordia University 4. Greg M. Bednarski and Jake Branson: Understanding Network Threats through Honeypot Deployment, Carnegie Mellon University March 2004. 5. Richard Hammer : Enhancing IDS using, Tiny Honeypot SANS Institute InfoSec Reading Room 6. Solution Base: What you need to know about honeypots http://articles.techrepublic.com.com/5100- 22_11-5758218.html

More Related Content

PPT
Intrusion detection system ppt
Sheetal Verma
 
PDF
An Approach to for Improving the Efficiency of IDS System Using Honeypot
Editor Jacotech
 
DOCX
Engineering Internship Report - Network Intrusion Detection And Prevention Us...
Disha Bedi
 
PPT
Cloudslam09:Building a Cloud Computing Analysis System for Intrusion Detection
Wei-Yu Chen
 
PDF
Paper sharing_Edge based intrusion detection for IOT devices
YOU SHENG CHEN
 
PPTX
Future Prediction: Network Intrusion Detection System in the cloud
Sedthakit Prasanphanich
 
PPTX
Double guard
Divya Gowda
 
PDF
International Journal of Computer Science and Security Volume (1) Issue (3)
CSCJournals
 
Intrusion detection system ppt
Sheetal Verma
 
An Approach to for Improving the Efficiency of IDS System Using Honeypot
Editor Jacotech
 
Engineering Internship Report - Network Intrusion Detection And Prevention Us...
Disha Bedi
 
Cloudslam09:Building a Cloud Computing Analysis System for Intrusion Detection
Wei-Yu Chen
 
Paper sharing_Edge based intrusion detection for IOT devices
YOU SHENG CHEN
 
Future Prediction: Network Intrusion Detection System in the cloud
Sedthakit Prasanphanich
 
Double guard
Divya Gowda
 
International Journal of Computer Science and Security Volume (1) Issue (3)
CSCJournals
 

What's hot (18)

PDF
REAL-TIME INTRUSION DETECTION SYSTEM FOR BIG DATA
ijp2p
 
PPTX
Network Intrusion Prevention by Configuring ACLs on the Routers, based on Sno...
Disha Bedi
 
PDF
Defense mechanism for d do s attack through machine learning
eSAT Publishing House
 
PDF
Order vs. Mad Science: Analyzing Black Hat Swarm Intelligence
Priyanka Aash
 
PDF
Review on Honeypot Security
IRJET Journal
 
DOCX
Intrusion Detection System
Devil's Cafe
 
PPT
Intrusion Detection And Prevention
Nicholas Davis
 
PPT
Day4
Jai4uk
 
PDF
35 38
Ijarcsee Journal
 
PPT
Using Genetic algorithm for Network Intrusion Detection
Sagar Uday Kumar
 
PPT
Day3
Jai4uk
 
PPTX
Network security
Sidiq Dwi Laksana
 
PPT
Day3 Backup
Jai4uk
 
PPTX
Intrusion Prevention System
Vishwanath Badiger
 
PPTX
Intrusion detection
Umesh Dhital
 
DOCX
Seminar Report - Network Intrusion Prevention by Configuring ACLs on the Rout...
Disha Bedi
 
PPTX
Network intrusion detection system and analysis
Bikrant Gautam
 
PDF
Intrusion_Detection_By_loay_elbasyouni
Loay Elbasyouni
 
REAL-TIME INTRUSION DETECTION SYSTEM FOR BIG DATA
ijp2p
 
Network Intrusion Prevention by Configuring ACLs on the Routers, based on Sno...
Disha Bedi
 
Defense mechanism for d do s attack through machine learning
eSAT Publishing House
 
Order vs. Mad Science: Analyzing Black Hat Swarm Intelligence
Priyanka Aash
 
Review on Honeypot Security
IRJET Journal
 
Intrusion Detection System
Devil's Cafe
 
Intrusion Detection And Prevention
Nicholas Davis
 
Day4
Jai4uk
 
35 38
Ijarcsee Journal
 
Using Genetic algorithm for Network Intrusion Detection
Sagar Uday Kumar
 
Day3
Jai4uk
 
Network security
Sidiq Dwi Laksana
 
Day3 Backup
Jai4uk
 
Intrusion Prevention System
Vishwanath Badiger
 
Intrusion detection
Umesh Dhital
 
Seminar Report - Network Intrusion Prevention by Configuring ACLs on the Rout...
Disha Bedi
 
Network intrusion detection system and analysis
Bikrant Gautam
 
Intrusion_Detection_By_loay_elbasyouni
Loay Elbasyouni
 
Ad

Viewers also liked (14)

PDF
Cube2012 Submission 359
Sandeep Saxena
 
PDF
Rp059 Icect2012 E694
Sandeep Saxena
 
PDF
MEDIA ICMI 09
ICMI Pusat
 
PPT
Cloud Monitoring And Forensic Using Security Metrics
Sandeep Saxena
 
PDF
MEDIA ICMI EDISI 11
ICMI Pusat
 
DOCX
Synopsis on wireless power transfer
Mohammad Atif
 
PDF
Wireless Power Transfer Project
sagnikchoudhury
 
PPTX
Ppt seminar
Lovina Jaisingh
 
PDF
Wireless power / Wireless Electricity
Muhammad Umair Iqbal
 
PPTX
Wireless power transmission ppt
Aishwary Verma
 
PPTX
Wireless power transmission
rakeshkk
 
PDF
What's Next in Growth? 2016
Andrew Chen
 
PDF
The Outcome Economy
Helge Tennø
 
PDF
32 Ways a Digital Marketing Consultant Can Help Grow Your Business
Barry Feldman
 
Cube2012 Submission 359
Sandeep Saxena
 
Rp059 Icect2012 E694
Sandeep Saxena
 
MEDIA ICMI 09
ICMI Pusat
 
Cloud Monitoring And Forensic Using Security Metrics
Sandeep Saxena
 
MEDIA ICMI EDISI 11
ICMI Pusat
 
Synopsis on wireless power transfer
Mohammad Atif
 
Wireless Power Transfer Project
sagnikchoudhury
 
Ppt seminar
Lovina Jaisingh
 
Wireless power / Wireless Electricity
Muhammad Umair Iqbal
 
Wireless power transmission ppt
Aishwary Verma
 
Wireless power transmission
rakeshkk
 
What's Next in Growth? 2016
Andrew Chen
 
The Outcome Economy
Helge Tennø
 
32 Ways a Digital Marketing Consultant Can Help Grow Your Business
Barry Feldman
 
Ad

Similar to Icmis (20)

PDF
1376841709 17879811
Editor Jacotech
 
PDF
1376841709 17879811
Editor Jacotech
 
PDF
Ananth1
Shiva Krishna Chandra Shekar
 
PDF
Network Security Using IDS, IPS & Honeypot
paperpublications3
 
PDF
Client Honeypot Based Drive by Download Exploit Detection and their Categoriz...
IJERA Editor
 
PDF
Paper id 312201513
IJRAT
 
PDF
Analysis of Honeypot Networks and Intrusion Prevention System IPS on Wireless...
ijtsrd
 
PDF
M0704071074
IJERD Editor
 
PDF
Honeypotdeploy Ieee2005
seguridadutpl
 
PDF
A honeynet framework to promote enterprise network security
IAEME Publication
 
PDF
Olll
nannukaur
 
PDF
Gg2511351142
IJERA Editor
 
PDF
Gg2511351142
IJERA Editor
 
PDF
Modern Attack Detection using Intelligent Honeypot
IRJET Journal
 
PDF
N44096972
IJERA Editor
 
PDF
Em36849854
IJERA Editor
 
PDF
Ananth3
Shiva Krishna Chandra Shekar
 
PPTX
HONEYPOTS: Definition, working, advantages, disadvantages
amit kumar
 
DOC
Honeypots
Shiva Krishna Chandra Shekar
 
PDF
Seminar Report on Honeypot
Amit Poonia
 
1376841709 17879811
Editor Jacotech
 
1376841709 17879811
Editor Jacotech
 
Ananth1
Shiva Krishna Chandra Shekar
 
Network Security Using IDS, IPS & Honeypot
paperpublications3
 
Client Honeypot Based Drive by Download Exploit Detection and their Categoriz...
IJERA Editor
 
Paper id 312201513
IJRAT
 
Analysis of Honeypot Networks and Intrusion Prevention System IPS on Wireless...
ijtsrd
 
M0704071074
IJERD Editor
 
Honeypotdeploy Ieee2005
seguridadutpl
 
A honeynet framework to promote enterprise network security
IAEME Publication
 
Olll
nannukaur
 
Gg2511351142
IJERA Editor
 
Gg2511351142
IJERA Editor
 
Modern Attack Detection using Intelligent Honeypot
IRJET Journal
 
N44096972
IJERA Editor
 
Em36849854
IJERA Editor
 
Ananth3
Shiva Krishna Chandra Shekar
 
HONEYPOTS: Definition, working, advantages, disadvantages
amit kumar
 
Honeypots
Shiva Krishna Chandra Shekar
 
Seminar Report on Honeypot
Amit Poonia
 

Icmis

  • 1. Enhancing the efficiency of IDS system with Honey pot placement in Network Architecture Vijay K. Chaurasiya1, Ashish Srivastava2 Shuchi Chandra3Shashank Srivastava4, Sandeep Saxena5, Manish Rai6, IIIT-Allahabad, India The Intrusion Detection System specially involves two types of techniques: Anomaly Detection involving the Abstract -- Increasing technology space has pressurized the detection based on behavior/heuristic rules and Misuse orgainsational enviroment to safegraurd its network from Detection involving the detection based on patterns and outside as well as inside attack. Any malicious intrusion can signatures. Anomaly detection lags behind as it requires dragdown a highly reputed organisation to the floors of too much time to detect the behavior and Misuse defamation and even insolvency. Henceforth network Detection lags behind for detection of new attack security is one of the biggest challenge for organisation. Although traditional concepts of firewall and intrusion signature. So Honeypot is used as a tool to support the detction system is prevailing yet there is a need to secure the technique of Misuse Detection so that new attacks can be enviroment from the so called zero day attacks. Attackers detected before they can harm internal network and the every now and then generate exploits to penetrate the secure signature can be framed in the IDS to defend the network network enviroment and the existing known signatures are from internal and external threat of such attack in future. not able to detect such an attack. This paper brings forth the concept of deployment of honeypot so as to make the IDS Honeypots are Bait Servers which are not the part of any system more effective and efficient for the zero day attack production server in the organization and are just placed leading to least penetration to the network enviroment. This isolated so as to attract the attackers to plug and play with paper lays down a new network architecture so that the IDS it and at its end it logs all the actions of the attacker so system can be updated with the latest attack scenarios. The that it can be analyzed further to generate signatures for aforesaid objective is achived with the help of establishment of honeypot. Later tcpdump is used for he further analysis of IDS. Attackers before making an attack performs a ping payload so as to generate alert signautre in IDS(Snort v2.0). sweep and if the honeypot is pinged. As the request reaches the honeypot server it records all the activities, even the keystrokes typed by the attackers so every command entered by the attacker becomes a part of log to I. INTRODUCTION the honeypot server. It also stores all tools used by the intruders in records as a forensic machine. The high use of internet in today’s IT world has purged in The given paper describes how the data returned from the the concept of security deployment in the organization so honeypot server is used to write custom IDS rules. Thus as to make it almost immune to various upcoming attack new network architecture is designed to collect the scenarios. One of the critical areas is the protection of response to write custom IDS rules by seeing the data internal network from new attacks. Although the most payload and writing the rules matching the payload. desirable is the deployment of intrusion and prevention system in the network architecture but this system is still II. RELATED WORK vulnerable to zero day attacks. The IDS generally includes signatures for known attacks and generates the alerts for the same but if any new attack penetrates the One of the drawback stumble upon with network intrusion system then it lacks behind. To deal with this problem the detection systems is that the logging of failed connection concept of honeypot can be used along with any packet attempts just occurs when services are not listening on a analyzing tool so as to generate signatures for zero-day scanned port. When a RST signal terminates a TCP attacks in IDS. connection attempt, the system never logs the data packet that the remote machine was trying to send into the network. A honeypot as a one of the greatest security tool
  • 2. suggests a mechanism by completing the connection attempt and providing an attacker a false illusion of accessing the critical servers and then recording the interactions between the honeypot and the remote machine. Honeypot placement is one of the greatest issues to be taken care of to optimize the efficiency of the implemented Intrusion Detection System. Various network architectures are presented till now to achieve the aforesaid motive but the basic idea behind this as we suppose is detection of hackers scripts and actions to penetrate into the system and henceforth the proposed architecture is presented which will help the organizational security to build up patches for the existing loophole and make their system robust and stringent to attack scenarios. III. PROPOSED DESIGN AND IMPLEMENTATION Fig 1.1 Deployment of IDS & honeypot in the LAN Architecture In this configuration, main network is a “TCP/IP based In this section we outline the requirements of the network” which contains clients and servers. Snort 2.0 is proposed infrastructure which is considered as a solution used as IDS and is capable to be configured with server. to decrease the malicious inflow of packets in the Honeyd is a honeypot system that is configured as a organizational environment and enhance the efficiency of separate server and is connected to the main server. We IDS system deployed. assume a”switched network” in our approach, with a configurable switch which is connected to the main server The real honeypot server is used to safeguard the main and the respective clients. As the LAN architecture is server from if the hacker is able to compromise the developed in within a primary network henceforth the honeypot server. Although it is hard to implement the real server is supported with two Ethernet cards eth0 and eth1. honeypot but it is desirable for large organizations as such Eth0 directs the internet connection to the main sever and servers do not hamper the production process in the eth1 manages the intranet traffic within the private LAN organization and only IT staff is able to access the 192.168.0.1. required logs. Neither the attacker nor the organizational The attacker first performs a ping sweep attack to detect staff knows where honeypot is placed. the available servers in the network and the honeypot server entices him to perform attacks to penetrate the The given network architecture is used to develop an network. Once the requests are directed to the honeypot understanding as to why and how honeypots are used to server the incoming connection is established with the enhance the work of IDS system. attacking system. As the attacker gets a feel of entering into the server it performs all his efforts to penetrate into different servers. Honeypot gives him the illusion of different servers and constantly interacts with him to record his activities and send the specific response to the syslog server for future analysis and investigation.
  • 3. IV. EXPERIMENTAL SETUP %01/..%01/..%01/..%01/..%01/..%01/..%0 1/..%01/..%01/..%01/. To implement honeypot an additional tool Arpd is .%01/..%01/..%01/..%01/..%01/..%01/..% embedded in it. Honeypot cannot do everything alone and 01/..%01/..%01/..%01/ ..%01/..%01/..%01/..%01/..%01/..%01/.. requires the help of Arpd. Arpd is used for ARP spoofing; %01/..%01/..%01/..%01 this is what actually monitors the unused IP space and /..%01/..%01/..%01/..%01/..%01/..%01/. directs the attacks to the honeypot. Honeyd is only able to .%01/..%01/..%01/..%0 interact with attackers. For example if the aim is to 1/..%01/..%01/..%01/..%01/..%01//etc/s monitor all the unused IPs in the 192.168.1.0/24 network, hadow HTTP/1.1 the required commands to start both Arpd and Honeyd are Host: 202.174.22.145:10000 as follows: It is visible that the attacking port is 10000 thus port 10000 is of interest. The various ip addresses from where arpd 192.168.0.1/24 such request came can be filtered using tcpdump analysis. honeyd -p nmap.prints -f honeyd.conf 192.168.0.1/24 Based on the commands, the Arpd process monitors the B. Results and Discussion unused IPs, directs all corresponding attacks to the honeyd and spoofs the victim’s IP address with the MAC Once the analysis is done now it is the time to write the address of the honeypot. For the honeyd command –p snort rule. By the analysis of the payload it is visible that nmap.prints refers to the nmap fingerprint database and -f the string started with “GET/unauthenticated/” honeyd.conf is the honeyd configuration file. thus following snort rule can be set: Once the installation is honeypot server is completed the alert tcp $EXTERNAL_NET any -> traffic directed to honeypot server is dumped o other $192.168.0.1 10000 (content:"GET /unauthenticated/"; system using packet analyzing tool tcpdump with the help msg:"Get unauthenticated";) of following command: tcpdump -nn -x -s 1500 host 192.168.0.145 -w store.cap Now any attack coming from the specified port will The tcpdump command will dump all the malicious generate the alert to the administrator of penetration for packets directed to the honeypot and hence will help in unauthorized access in the network environment by the writing the snort rule set by analyzing the payload. attacker. If the set rule has to be further customized then the A. Writing of Snort Rules: following payload can be added: alert tcp any any -> any 10000 Penetrating in the network to gain access by getting the (content:"GET /unauthenticated/..%01/..%01/"; msg:"Get etc/passwd file in the Linux environment or the password unauthenticated";) shadow file i.e. etc/shadow which contains the username The point of concern here is that adding too much of and password of all users. No such rule is defined in the payload may result in false negatives which will overall latest snort rule set. Suppose you get the following log lower down the implementation of snort in organizational generated in honeypot: network. # cat 44F75D6380122.shell :::::::::::::: V. CONCLUSION GET/unauthenticated/..%01/..%01/..%01/ ..%01/..%01/..%01/..% The Intrusion detection system can only give the optimum 01/..%01/..%01/..%01/..%01/..%01/..%01 /..%01/..%01/..%01/.. benefit if it is also able to detect those attacks for which
  • 4. signatures are not defined in its database. The area of work will be to give attention to this Snort limitation and thus increasing the scalability and responsiveness of the system towards the various types of attacks so as to achieve the motto of building a smart agile and secure system to face the new challenges of technological arena. Though honeypot deployment is a cost-effective solution for the security of large organization but in future refinement is required to elimination false alarm generations. REFERENCES 1. Vidar Ajaxon Grønland: Building IDS signatures by means of a honeypot Norwegian Information system Laboratory. 2. Chi-Hung Chi , Ming Li Dongxi Liu : A method to obtain Signatures From Honeypots Data, School of Computing National University of Singapore 3. Babak Khosravifar, Jamal Bentahar: An Experience Improving Intrusion Detection Systems False Alarm Ratio by Using Honeypot. Department of Electrical and Computer Engineering, Concordia University 4. Greg M. Bednarski and Jake Branson: Understanding Network Threats through Honeypot Deployment, Carnegie Mellon University March 2004. 5. Richard Hammer : Enhancing IDS using, Tiny Honeypot SANS Institute InfoSec Reading Room 6. Solution Base: What you need to know about honeypots http://articles.techrepublic.com.com/5100- 22_11-5758218.html