This Challenge led by netForensics Honeynet team lead Anton
Chuvakin is related to analyzing various log files from a honeynet in
order to determine whether it was compromised, if so how, as well as to
identify various trends in the honeynet activity. All entries are due
Monday May 9. Results will be released Monday May 23. Find the rules
and suggestions for submissions at the SotM
NOTE: On 12 April, two minor corrections were made. First is we updated
the docs to reflect the sanitization address is 11.11.*.*. Second,
we appended a statement to question #3.
Skill Level: Intermediate
We provided some questions below to focus your analysis process. It is
expected that the best entries will go above and beyond the questions
and provide more insight on what really was going on. As usual, a
good compelling argument backed by creative research methodology may
count just as highly as a true answer. You can also earn a prize for your analysis! The top entry
will receive a signed copy of the book Security Warrior by Anton Chuvakin.
As a reference we provide the following key to data:
a. Honeynet IPs sanitized to: 11.11.*.*
b. Our DNS server IPs sanitized to: 22.22.22.* and 23.23.23.*
c. Some other sensitive IPs are sanitized to: 10.22.*.*
Download the Images
b23755326714e39cac91ca881f1ca668 SotM34-anton.tar.gz [MD5]
5e006e9503801dde2d57e44281d784c516601c35 SotM34-anton.tar.gz [SHA1]
The evidence includes:
- Apache logs
- Linux syslogs
- Snort NIDS logs
- iptables firewall logs
- What are the significant events that happened on the honeypot in the time period covered by the logs? Show how you analyzed the data to paint the picture of those events.
- Was the system compromised? How do you know? If yes, how many times and by how many attackers? What would you consider the most compelling evidence of the compromise available if you find that the system was indeed compromised?
- If this were the evidence from a production system, how would you learn that the machine was compromised, given the data available? For this question, assume you do not have the honeynet-specific data streams, such as sebek2 or bash logger, just like in this challenge.
- What else was going on at the system at the same time? What times of "Internet noise" can you categorize, given the data? Is there anything out of the ordinary with the noise levels? What attack and probe types observed actually had a chance of affecting the target?
- Do you think that the time was synchronized between the various monitoring systems (where Snort and iptables logs were collected) and a victim system(where syslog and Apache logs were collected)?
- Describe the procedures and tools of that you used to analyzed all the distinct log sources together.
Anton Chuvakin has provided an official writeup here.
Writeup from the Security Community