Honeypots are useful in identifying malicious traffic on a production network or for conducting research on malicious network traffic. There are various types of honeypots and range from very complex to relatively simple systems.  This article will describe the setup and configuration of a low interaction honeypot, which can be used in a production environment or for basic research.

Requirements

This honeypot will be Windows based so Windows 2000 (and above) or Windows XP (and above) is required. Also, a dedicated computer or a virtual machine (VM) can be used. The computer or VM should be dedicated to purpose of running the honeypot only – do not use an existing server or workstation that serves another purpose. For virtual machines, two very good and free options are VMWare Server or VirutalBox. Fortunately, the honeypot does not require much for system resources. Reasonable minimum requirements are 10 gigabytes of hard disk space and 512 megabytes of RAM.

The following software will be used:

• MySQL Community Server – A database server, used for storing Snort alerts
• Snort – An Intrusion Detection System (IDS), used to identify malicious traffic based on signatures
• WinPcap – A packet capturing engine used by Snort
• HoneyBOT – A low interaction honeypot, used to open listening ports, emulate services, and log interaction

Note: If desired, a more simplistic honeypot can be implemented by only installing and configuring HoneyBOT. In this scenario MySQL and Snort are not required.

Network Architecture

The network architecture for this honeypot should be basic. The honeypot must reside behind a firewall. The firewall may be a physical device on the network or a software based firewall configured on the honeypot system itself. It is assumed that the reader has basic networking knowledge and is capable of determining an appropriate network configuration.

Installation

Once the Windows operating system is up and running, any pending Windows patches should be applied.

MySQL

Run the installer for MySQL, after the installation completes the setup wizard will launch. The following selections are recommended for a basic setup:

Set concurrent connections to 5, this should be more than sufficient.

Set the port number to 63306. This is a non standard port for MySQL, the reason for modifying the port number is so malicious MySQL traffic will be handled by the honeypot software.

Uncheck modify security settings to leave the MySQL root user password blank. If desired, a password can be set after configuration is complete. See MySQL documentation on managing the root user account.

Click execute to complete the setup wizard.

Snort

Run the Snort installer, ensure to choose the option below. The default options on the remaining screens are sufficient.

WinPcap

Run the install, all the default options are sufficient. Be sure to leave the option for “Automatically start the WinPcap driver at boot time” checked.

HoneyBOT

Run the installer, all default options are sufficient.

Configuration

MySQL

A modification needs to be made to the my.ini file to bind MySQL the local host only. This will prevent any external connections to the database. In the my.ini file add the following line in the SERVER SECTION after the line [mysqld]:

bind-address=localhost

Example:

[mysqld]

bind-address=localhost

port=63306

Save changes and restart the MySQL service. Next open a DOS prompt and create the snort database by running the following command:

mysql -u root -e “create database snort”

Note: If a password has been set for the root user, use -p to specify the password. See MySQL documentation for guidance.

Next, the schema for the Snort database needs to be created. The SQL file to create the schema is provided by the Snort installation and is located under C:\Snort\schemas. Run the following command:

mysql -u root snort < C:\Snort\schemas\create_mysql

Snort

Before configuring Snort the latest Snort rules need to downloaded. The rules can be downloaded from here. A free registration is required to download the “registered-user release” rule set. This rule set will contain new signatures 30-days after their initial release. Follow the instructions on the Snort web site on creating an account and downloading the rules. Once the rules are downloaded, extract the file and copy all its contents to the directory where Snort is installed ( i.e. C:\Snort).

To configure Snort the snort.conf file needs to be modified. First, configure Snort to log output to the MySQL database. Locate the “Configure output plugins” section and under the “database” section add the following line:

output database: log, mysql, user=root dbname=snort host=localhost port=63306

Note, the MySQL database requires a password include the “password=<the password>” option.

Next, there are several tweaks needed in order to get Snort to run properly on Windows. Depending on the Snort release the needed tweaks may vary. A good guide for installing Snort on Windows can be found here. Below are instructions for tweaking the snort.conf file as of the 2.8.6 Snort release.

The process for repairing the snort.conf file is as follows:

1. Start Snort via the command line.

cd C:\Snort\bin

snort -v -l C:\Snort\log -c C:\Snort\etc\snort.conf

2. Review the error message and repair.

Repeat the steps above until all errors are resolved and Snort starts up successfully. In configuring Snort 2.8.6, use this guide to repair errors that may be encountered.

Note, these instructions provide a very basic Snort configuration. To implement more advanced configurations and trouble shoot errors not covered in this document, seek assistance from Snort documentation and support forums.

HoneyBOT

When starting HoneyBOT it will automatically start…. From the top menu bar select View -> Options, below are the recommended settings for each tab.

Choose a unique server name. As a honeypot the server name should represent a legitimate function, i.e. webserver01.

Windows Login

One of HoneyBOT’s short comings is that it cannot be run as a system service. At this point in the configuration, if a system reboot is required, HoneyBOT will not start up and run automatically. The work around for this is to add a shortcut to the Windows Startup program group. In addition, Windows will need to be configured to auto login. As a result, a reboot can be invoked without having to login and start HoneyBOT manually.

To enable auto login for Windows 2000, follow the instructions in the links below.

autologin_reg_hack (original source)

In addition, Snort needs to be started upon system boot or Windows login. See Snort documentation on how to configure Snort as a Windows service. An alternate method is to create a batch file and add a shortcut to it in the Windows Startup program group. The batch file should contain the following:

@echo off
C:\Snort\bin\snort.exe -d -i 1 -l C:\Snort\log -c C:\Snort\etc\snort.conf

Conclusion

Once all the above is configured, reboot the system. Upon reboot, Snort and HoneyBOT will run and begin waiting for malicious traffic! Although the collection of malicious events will take place, there is a limited ability to perform analysis. SQL scripts may be written to report on Snort alerts from the MySQL database, and HoneyBOT provides some functionality for reviewing events for the current day. In a future article, a means for exporting the data and conducting analysis will be discussed.

This entry was posted on Sunday, June 20th, 2010 at 10:20 am and is filed under Honey Blog, Main. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.