Posts Tagged ‘noah’

NoAH: a versatile tool for every ISP’s toolbox

Wednesday, July 9th, 2008

The primary purpose of NoAH system is detection of unauthorized activity on organizational data networks. It does this by monitoring the activity on all the unused IPs in your network. Any attempted connection to an unused IP address is assumed to be unauthorized or malicious activity. In the case where the system IP is in use the system (honey@home) can monitor unused service ports of the system and report activity.

Even though the aim of the project is to help NRENs and ISPs companies, feedback from them is crucial, since the main attacks committed through their networks. Using NoAH system can help detect, monitor and report suspect activities in real-time.

NoAH system main features:

  • Provide source of data for security analysis.
  • Produce attacks signatures for further use (integration with IDS, firewalls and other network protection tools).
  • It has few false positives, low cost and low risk.
  • It does not capture legitimate users traffic (No sensitive data).
  • Help the security teams understand the threats they face and how to defend against them.
  • Raw data available for the administrators.
  • Easy to adapt new honeypots on the company‚Äôs network.
  • Open-source software.
  • Contribute to a large network of Honeypots.

NoAH floats its ideas at TNC 2008

Monday, July 7th, 2008

The 2nd NoAH workshop was held on 20 May 2008 in Bruges, Belgium. This was organised as two parallel sessions within the wider TERENA Networking Conference (TNC 2008), and attracted more than 60 participants. The objective was to present the current activities of the European Commission-funded NoAH project, as well as other relevant work related to honeypots.

Click to continue reading “NoAH floats its ideas at TNC 2008″

Story of an Attack

Monday, June 16th, 2008

Our windows 2000 server honeypot in the NoAH testbed was attacked on 2nd June 2008. This is the story of this attack. The rough picture is:

  • The attacker connected from to our win2k server honeypot.
  • Aim was to exploit a vulnerability in the WINS service at port 42.
  • Date was 2nd June 2008 18:45 GMT +0200.
  • The attack was not detected by the snort IDS.
  • Argos raised an alert of type “RET”.
  • The EBP contained the value 0×90909090 which results obviously from a stack buffer overflow. Thus, a false positive can be excluded.

Click to continue reading “Story of an Attack”

Update for windows Honey@home software

Friday, May 16th, 2008

Honey@home logoAn updated version of windows Honey@home has been released. The new version has been developed using the Microsoft .NET 2.0 framework. New features in this version include an installation wizard, a registration wizard, settings manager and automatic updating.

The application is available from the Honey@home website. Continue reading for more details on the new features.

Click to continue reading “Update for windows Honey@home software”

NoAH Router ready to catch attacks

Monday, March 31st, 2008

The NoAH Router developed in the context of NoAH has successfully passed the last tests and is now ready to catch attacks on the Internet.

The innovative concept of NoAH Router allows to detect suspicious flows that are currently not seen by the existing Honeypots. Being installed on a router installed at the heart of the Internet, it can identify and redirect flows coming from scanning bots even if the targeted machines are not under monitoring.

During the next phase, the capacity of the NoAH Router for preventing zero-day attacks will be evaluated in a live environment. Keep an eye on the blog for further updates on the NoAH router.

Got Honey?

Tuesday, February 5th, 2008


The NoAH LogoWelcome! This is the blog of the NoAH project. NoAH is a EU funded project that aims to develop a pilot infrastructure for automatically gathering and analyzing information about the Internet cyber-attacks and their nature.


This blog is authored by members of the NoAH consortium. It’s main purpose is to discuss the latest news (good or bad) on honeypots, worms, malware and IT security and defense in general. Of course, there will be also posts regarding the news of the NoAH project (workshops, published papers and articles etc).

Currently the consortium is preparing the organization of the 2nd NoAH workshop. It will be held between 19 and 22 May 2008 as one of the 2008 TERENA Networking Conference sessions in Bruges, Belgium. Stay tuned for updates!