robin.berthier's blog

Honeybrid testing

Second milestone reached! Honeybrid has now all its functionalities working and it's time for testing. In order to check that everything works efficiently, I deployed a Windows honeypot to receive traffic from five /24 unused subnets during half an hour. Here are the details of this experiment.

Configuration

Here is a overall diagram of the testing architecture:

(Internet) <=====> [NATing Gateway with Honeybrid] <-------> [Windows Honeypot]

The NATing gateway was configured with the following iptables rules:

Bison/Flex parser

This week I completed an important step which is to integrate a parser in Honeybrid. There are now two new files in the source code:

How to transparently redirect a TCP connection

TCP was built to allow 2 hosts to exchange a stream of packets reliably. Honeybrid must add a third host to this operation when it decides to investigate further a connection. The keys for this process to work are: 1) a replay process that gets the high interaction honeypot to the same state than the low interaction honeypot; and 2) a forwarding process that translates not only IP addresses but also TCP sequence and acknowledgement numbers. Here is how things work in detail:

Honeybrid: combining low and high interaction honeypots

The goal of this post is to introduce myself and my project: my name is Robin Berthier and I just got my PhD from the University of Maryland. I'll be working this summer on improving Honeybrid, a hybrid honeypot architecture. I've been working with honeypot technologies for the past 4 years, and Honeybrid represents a central part of my dissertation. 

Syndicate content