Archive for the ‘noah’ Category

NoAH: a versatile tool for every ISP’s toolbox

Wednesday, July 9th, 2008

The primary purpose of NoAH system is detection of unauthorized activity on organizational data networks. It does this by monitoring the activity on all the unused IPs in your network. Any attempted connection to an unused IP address is assumed to be unauthorized or malicious activity. In the case where the system IP is in use the system (honey@home) can monitor unused service ports of the system and report activity.

Even though the aim of the project is to help NRENs and ISPs companies, feedback from them is crucial, since the main attacks committed through their networks. Using NoAH system can help detect, monitor and report suspect activities in real-time.

NoAH system main features:

  • Provide source of data for security analysis.
  • Produce attacks signatures for further use (integration with IDS, firewalls and other network protection tools).
  • It has few false positives, low cost and low risk.
  • It does not capture legitimate users traffic (No sensitive data).
  • Help the security teams understand the threats they face and how to defend against them.
  • Raw data available for the administrators.
  • Easy to adapt new honeypots on the company‚Äôs network.
  • Open-source software.
  • Contribute to a large network of Honeypots.

NoAH floats its ideas at TNC 2008

Monday, July 7th, 2008

The 2nd NoAH workshop was held on 20 May 2008 in Bruges, Belgium. This was organised as two parallel sessions within the wider TERENA Networking Conference (TNC 2008), and attracted more than 60 participants. The objective was to present the current activities of the European Commission-funded NoAH project, as well as other relevant work related to honeypots.

Click to continue reading “NoAH floats its ideas at TNC 2008″

Story of an Attack

Monday, June 16th, 2008

Our windows 2000 server honeypot in the NoAH testbed was attacked on 2nd June 2008. This is the story of this attack. The rough picture is:

  • The attacker connected from to our win2k server honeypot.
  • Aim was to exploit a vulnerability in the WINS service at port 42.
  • Date was 2nd June 2008 18:45 GMT +0200.
  • The attack was not detected by the snort IDS.
  • Argos raised an alert of type “RET”.
  • The EBP contained the value 0×90909090 which results obviously from a stack buffer overflow. Thus, a false positive can be excluded.

Click to continue reading “Story of an Attack”

Update for windows Honey@home software

Friday, May 16th, 2008

Honey@home logoAn updated version of windows Honey@home has been released. The new version has been developed using the Microsoft .NET 2.0 framework. New features in this version include an installation wizard, a registration wizard, settings manager and automatic updating.

The application is available from the Honey@home website. Continue reading for more details on the new features.

Click to continue reading “Update for windows Honey@home software”

Eudaemon: Argos-like protection on the desktop

Tuesday, May 6th, 2008

“Essentially, Eudaemon is a ‘good spirit’ that possesses processes in order to protect them form evil.”

Despite all of the attractive properties of Argos and the various signature generators, we are still missing some attacks: those on the client-side. Honeypots have as a disadvantage that they mostly act like servers and wait for attackers to contact them. However, client-side attacks are on the rise. In such attacks, the client visits a malicious website and is infected by the content. Honeypots never see such attacks.

Moreover, the Argos honeypot only protects the exact configuration that it is actually running on top of its emulator. If the production machines have a slightly different configuration (e.g., a different version of the OS, applications, or plugins), Argos may miss attacks. So, ideally we would like to protect the `real’ machines.

In the Eudaemon project, some of the groundwork is done for implementing techniques to bring Argos-like honeypot technology to the desktop of normal users. In other words: client-side protection. This is a major challenge as the emulator that implements all the required instrumentation to detect attacks incurs a slowdown of a factor 15-20. As a result, running a desktop PC in instrumented mode constantly is probably not acceptable.

Instead, the idea is to take over running processes and force them to continue running in honeypot mode when needed or when possible. For instance, in the former case one may run a browser in honeypot mode when we click on an unknown URL in an email message. The browser is then protected against browser attacks by malicious server content. In the latter case, one may switch all of the user’s networking applications to honeypot mode when the machine is idle. For instance, we may switch to honeypot mode as a screensaver.

The mechanism for doing this is described in the Eudaemon paper presented at EUROSYS 2008 in Glasgow. [bibtex]

NoAH Router ready to catch attacks

Monday, March 31st, 2008

The NoAH Router developed in the context of NoAH has successfully passed the last tests and is now ready to catch attacks on the Internet.

The innovative concept of NoAH Router allows to detect suspicious flows that are currently not seen by the existing Honeypots. Being installed on a router installed at the heart of the Internet, it can identify and redirect flows coming from scanning bots even if the targeted machines are not under monitoring.

During the next phase, the capacity of the NoAH Router for preventing zero-day attacks will be evaluated in a live environment. Keep an eye on the blog for further updates on the NoAH router.

NoAHDB tool version 0.2 is out!

Thursday, March 27th, 2008

NoAHDB is a command line tool that parses the log files that are emitted by the Argos honeypot and populates the tables of a MySQL database. The goal of NoAHDB is to assist the network administrator to collect and analyse all that precious information emmited by the Argos honeypot.

For more information on NoAHDB tool please visit NoAHDB homepage.

NoAH Database Management Interface version 0.0.2 is out!

Tuesday, March 18th, 2008

NoAH Database Management Interface (NOAHIF) is a web application (based on Ruby on Rails web framework) that eases the management of a network of honeypots. Information concerning the location of the sensors/honeypots, the hardware and software configuration of the sensors/honeypots and the services running are easily managed.

For more information on NOAHIF please visit NOAHIF homepage.

Argos version 0.4.0 released

Friday, March 14th, 2008

Finally, the long awaited port to QEMU 0.9.* series is here. Argos v0.4.0 is based upon QEMU v0.9.1.

Some useful changes follow:

version 0.9.1:

  • TFTP booting from host directory (Anthony Liguori, Erwan Velu)
  • Tap device emulation for Solaris (Sittichai Palanisong)
  • Monitor multiplexing to several I/O channels (Jason Wessel)
  • CPU model selection support (J. Mayer, Paul Brook, Herve Poussineau)
  • Read-only support for Parallels disk images (Alex Beregszaszi)
  • SVM (x86 virtualization) support (Alexander Graf)
  • Intel mainstone II board emulation (Armin Kuster)
  • VMware SVGA II graphics card support (Andrzej Zaborowski)

version 0.9.0:

  • Support for relative paths in backing files for disk images
  • Async file I/O API
  • New qcow2 disk image format
  • Support of multiple VM snapshots
  • Linux: specific host CDROM and floppy support
  • SMM support
  • Moved PCI init, MP table init and ACPI table init to Bochs BIOS
  • several x86 and x86_64 emulation fixes
  • Mouse relative offset VNC extension (Anthony Liguori)
  • PXE boot support (Anthony Liguori)
  • ‘-daemonize’ option (Anthony Liguori)

Additional changes, besides the port, include a double taintness check before executing a part of code to ensure attackers’ injected code is always detected at the moment it is first executed. The check is performed whenever a TB is scheduled to be executed, as well as within the translated code whenever EIP is modified. This is to cover TB chaining performed by QEMU to speed up emulation. In the future we might consider disabling chaining, if a single check offers a significant performance gain.

For more information on Argos visit: