Previous Page Next Page

5.9. Honeycomb

As you might have already noticed, Honeyd is a complex system, and in addition to built-in features, it also provides a plug-in[3] system for other developers to extend its functionality. A Honeyd plugin can intercept and modify both inbound and outgoing traffic. The best-known Honeyd plug-in is Honeycomb, developed by Christian Kreibich at the University of Cambridge [51].

[3] In fact, Christian developed Honeyd's plug-in architecture so he could use it for Honeycomb.

Living inside Honeyd, Honeycomb applies protocol analysis and pattern-detection techniques to all honeypot traffic and automatically generates signatures for network intrusion detection systems such as Snort or Bro. By concentrating on honeypot traffic, Honeycom takes advantage of the fact that traffic from honeypots has a much higher likelihood of being malicious.

One of Honeycomb's main strengths is spotting worms. See Figure 5.11 for an example of a very detailed Slammer signature generated on a typical end-user DSL connection. Besides generating worm signatures, Honeycomb has many other potential uses. Its algorithms can be applied to any kind of traffic to search for signatures when none are currently available. For example, Honeycomb makes it easy to answering a questions like "Does anyone have a signature for application XYZ?" You just need to run the appropriate traffic through Honeycomb and see what signatures it generates.

Figure 5.11. A Snort signature for the Slammer worm automatically generated by Honeycomb.

alert udp any any -> 192.168.169.2/32 1434 (msg: "Honeycomb Fri Jul 18 \
 11h46m33 2003 ";
content: "|04 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01
 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01
 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01
 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01
 DC C9 B0|B|EB 0E 01 01 01 01 01 01 01|p|AE|B |01|p|AE|B|90 90 90 90 90 90
 90 90|h |DC C9 B0|B|B8 01 01 01 01|1|C9 B1 18|P|E2 FD|5 |01 01 01 05|P|89
 E5|Qh.dllhel32hkernQhounthickChGetTf|B9|llQh32.dhws2_f
 |B9|etQhsockf|B9|toQhsend|BE 18 10 AE|B|8D|E|D4|P|FF 16|P|8D|E|E0|P|8D|E|
F0|P|FF 16|P|BE 10 10 AE|B|8B 1E 8B 03|=U |8B EC|Qt|05 BE 1C 10 AE|B|FF 16
 FF D0|1|C9|QQP|81 F1 03 01 04 9B 81 F1 01 01 01 01|Q|8D|E|CC|P|8B|E|C0|P|FF
 16|j|11| j|02|j|02 FF D0|P|8D|E|C4|P|8B|E|C0|P|FF 16 89 C6 09 DB 81
 F3|<a|D9 FF 8B|E|B4 8D 0C|@|8D 14 88 C1 E2 04 01 C2 C1 E2 08| )|C2 8D 04 90
 01 D8 89|E|B4|j|10 8D|E|B0|P1|C9|Qf|81 F1|x|01|Q|8D|E|03|P|8B|E|AC|P|FF D6
 EB|"; )

					  

Using Honeyd's plug-in interface, Honeycomb examines all protocol headers and payload data. Deploying Honeycomb within Honeyd has the following advantages over just sniffing traffic directly:

To write your own plug-in, you need to study the Honeyd source code in detail and figure out which hooks are provided. Although a detailed description of this interface is outside the scope of this book, we hope the Honeycomb example gives you a better idea of how to extend Honeyd's capabilities even further.

Previous Page Next Page