If any of the users discovers false positives, after these changes please notify the developers immediately. You can get argos from the VU gforge site.

The application is available from the Honey@home website. Continue reading for more details on the new features.

List of improvements

The new version offers numerous improvements over the previous releases:

1. Installation: The Honey@home installer now uses the Microsoft Windows Installer engine. This enables the installer to update existing Honey@home installations, without the user having to uninstall and then reinstall the software.

2. Integrated update mechanism: The software is now capable of identifying when a new version comes out on the Honey@home website. The new version is downloaded as an MSI archive and the software is automatically updated.

3. Registration wizard: The user no longer has to launch a browser to register his Honey@home client. If after the installation it is identified that the software hasn’t been registered, a registration wizard is started and the user is able to register his client without switching to a different application.

4. Settings Manager: No longer has the user to manually edit the configuration files of the software. Now all required changes to the configuration are made through the Honey@home settings manager GUI.

5. Anonymous Routing: The software now includes the components required to route the traffic it captures over TOR. This enhances the overall security of the NoAH infrastructure, as well as the privacy of the user.

6. Improved Visualization: Honey@home now offers three different charts and graphs. The first one is a pie-chart breakdown of the packets received per protocol (TCP, UDP, ICMP, Other). The second is a speed graph which shows the rate at which traffic is captured and injected. The last one shows the TCP and UDP ports that received the most traffic.

7. Misc. Improvements: The new version has a reduced memory footprint. Also it provides novice users with a recommendation for which of the existing network interfaces is suitable for the software.

Screenshots

Network interface recommendation at startup

Honey@home settings manager

Breakdown chart of received traffic per protocol

Traffic rate graph

Top ports graph

The innovative concept of NoAH Router allows to detect suspicious flows that are currently not seen by the existing Honeypots. Being installed on a router installed at the heart of the Internet, it can identify and redirect flows coming from scanning bots even if the targeted machines are not under monitoring.

During the next phase, the capacity of the NoAH Router for preventing zero-day attacks will be evaluated in a live environment. Keep an eye on the blog for further updates on the NoAH router.

For more information on NoAHDB tool please visit NoAHDB homepage.

For more information on NOAHIF please visit NOAHIF homepage.

Some useful changes follow:

version 0.9.1:

• TFTP booting from host directory (Anthony Liguori, Erwan Velu)
• Tap device emulation for Solaris (Sittichai Palanisong)
• Monitor multiplexing to several I/O channels (Jason Wessel)
• CPU model selection support (J. Mayer, Paul Brook, Herve Poussineau)
• Read-only support for Parallels disk images (Alex Beregszaszi)
• SVM (x86 virtualization) support (Alexander Graf)
• Intel mainstone II board emulation (Armin Kuster)
• VMware SVGA II graphics card support (Andrzej Zaborowski)

version 0.9.0:

• Support for relative paths in backing files for disk images
• Async file I/O API
• New qcow2 disk image format
• Support of multiple VM snapshots
• Linux: specific host CDROM and floppy support
• SMM support
• Moved PCI init, MP table init and ACPI table init to Bochs BIOS
• several x86 and x86_64 emulation fixes
• Mouse relative offset VNC extension (Anthony Liguori)
• PXE boot support (Anthony Liguori)
• ‘-daemonize’ option (Anthony Liguori)

Additional changes, besides the port, include a double taintness check before executing a part of code to ensure attackers’ injected code is always detected at the moment it is first executed. The check is performed whenever a TB is scheduled to be executed, as well as within the translated code whenever EIP is modified. This is to cover TB chaining performed by QEMU to speed up emulation. In the future we might consider disabling chaining, if a single check offers a significant performance gain.

For more information on Argos visit: http://www.few.vu.nl/argos