Introduction
Honeycomb is a system for automated generation of signatures for network
intrusion detection systems (NIDSs).
The system applies protocol analysis and pattern-detection techniques to traffic
captured on honeypots. Using traffic on honeypots has the major advantage
of concentrating on traffic that can be considered malicious by definition.
Honeycomb is good at spotting worms. For example, Honeycomb creates detailed
signatures for Slammer and Code Red (far more detailed than the typical web
server request line) on a typical end-user DSL connection. But the system
has lots of other potential uses -- it can be applied to any kind of traffic
to actively search for signatures when those are currently not available.
Examples are all those "Does anyone have a signature for program X"-type of
questions on IDS mailing lists -- just run this traffic through Honeycomb
and see what you get. Spam detection is another potential application that
comes to mind.
The system is an extension of the open-source honeypot
honeyd and inspects traffic
inside the honeypot; currently it examines protocol headers as well as payload
data. Integrating Honeycomb with honeyd has several advantages over a
bump-in-the-wire approach:
-
It avoids duplication of effort, as honeyd already uses
libpcap to capture the relevant packets,
-
It avoids cold-start issues common to devices like packet normalisers
or NIDSs, as honeyd does not just passively listen to traffic but rather
emulates hosts answering incoming requests. It hence knows exactly when a
new connection is started or terminated.
Availability
Honeycomb should build on at least Linux, FreeBSD and OpenBSD.
Release 0.7 should build with honeyd 1.5 and libevent 1.1.
Refer to the README in the tarball for installation instructions.
Results
I'm gathering Honeycomb-generated signatures here to illustrate how detailed
some of the signatures generated are. Note that all of these signatures were
created automatically, and from repeated intrusions — it is interesting
to see just how much overlap there existed among those flows.
-
Here is a signature for the THCIISSLAME.c
SSL PCT
exploit, submitted by Jose Faial <jcfaial AT terra.com.br> — thanks!
alert tcp 192.168.1.1/32 any -> 192.168.1.125/32 443 (msg: "Honeycomb SunMay 2 21h51m48 2004 "; flags: PA; flow:
established; content: "|80|b|01 02BD 00 01 00 01 00 16 8F 82 01 00 00 00 EB 0F|THCOWNZIIS!2^|BE 98 EB|#zi|0205|lY|F8 1D
9C DE 8C D1|Lp|D4 03 F0|' 0|08|WS2_32.DLL|01 EB 05 E8 F9 FF FFFF|]|83 ED|*j0Yd|8B 01 8B|@|0C 8B|p|1C AD 8B|x|08
8D|_<|8B 1B 01 FB 8B|[x|01FB 8B|K|1C 01 F9 8B|S$|01 FA|SQR|8B|[ |01 FB|1|C9|A1|C0 99 8B|4|8B 01 FEAC|1|C2 D1 E2 84
C0|u|F7 0F B6|E|058D|DE|04|f9|10|u|E1|f1|10|ZX^VPR+N|10|A|0F B7 0C|J|8B 04 88 01 F8 0F B6|M|0589|D|8D D8 FE|M|05|u|BE
FE|M|04|t!|FE|M"|8D|]|18|S|FF D0 89C7|j|04|X|88|E|05 80|Ew|0A 8D|]t|80|k&|14 E9|x|FF FF FF 89CE|1|DB|SSSSVFV|FF D0
97|UXf|89|0j|10|UW|FF|U|D4|NVW|FF|U|CC|SUW|FF|U|D0 978D|E|88|P|FF|U|E4|UU|FF|U|E8 8D|D|05 0C 94|Sh.exeh\cmd|94|1|D2
8D|E|CC94|WWWSS|FE C6 01 F2|R|94 8D|ExP|8D|E|88|P|B1 08|SSj|10 FECE|RSSSU|FF|U|EC|j|FF FF|U"; )
-
Here's CodeRed:
alert tcp 80.0.0.0/8 any -> 192.168.169.2/32 80 (msg: "Honeycomb Mon May 5 16h59m09 2003 "; flags: A; flow: established;
content: "u|08 81|~0|9A 02 00 00 0F 84 C4 00 00 00 C7|F0|9A 02 00 00 E8 0A 00 00 00|CodeRedII|00 8B 1C|$|FF|U|D8|f|0B C0
0F 95 85|8|FE FF FF C7 85|P|FE FF FF 01 00 00 00|j|00 8D 85|P|FE FF FF|P|8D 85|8|FE FF FF|P|8B|E|08 FF|p|08 FF 90 84 00
00 00 80 BD|8|FE FF FF 01|thS|FF|U|D4 FF|U|EC 01|E|84|i|BD|T|FE FF FF|,|01 00 00 81 C7|,|01 00 00 E8 D2 04 00 00 F7 D0
0F AF C7 89|F4|8D|E|88|Pj|00 FF|u|08 E8 05 00 00 00 E9 01 FF FF FF|j|00|j|00 FF|U|F0|P|FF|U|D0|Ou|D2 E8|;|05 00 00|i|BD|
T|FE FF FF 00|\&|05 81 C7 00|\&|05|W|FF|U|E8|j|00|j|16 FF|U|8C|j|FF FF|U|E8 EB F9 8B|F4)E|84|jd|FF|U|E8 8D 85|<|FE FF FF|
P|FF|U|C0 0F B7 85|<|FE FF FF|=|88 88 00 00|s|CF 0F B7 85|>|FE FF FF 83 F8 0A|s|C3|f|C7 85|p|FF FF FF 02 00|f|C7 85|r
|FF FF FF 00|P|E8|d|04 00 00 89 9D|t|FF FF FF|j|00|j|01|j|02 FF|U|B8 83 F8 FF|t|F2 89|E|80|j|01|Th~f|04 80 FF|u|80 FF|U
|A4|Yj|10 8D 85|p|FF FF FF|P|FF|u|80 FF|U|B0 BB 01 00 00 00 0B C0|tK3|DB FF|U|94|=3'|00 00|u?|C7 85|h|FF FF FF 0A 00 00
00 C7 85|l|FF FF FF 00 00 00 00 C7 85|`|FF FF FF 01 00 00 00 8B|E|80 89 85|d|FF FF FF 8D 85|h|FF FF FF|Pj|00 8D 85|`|FF
FF FF|Pj|00|j|01 FF|U|A0 93|j|00|Th~f|04 80 FF|u|80 FF|U|A4|Y|83 FB 01|u1|E8 00 00 00 00|X-|D3 03 00 00|j|00|h|EA 0E 00
00|P|FF|u|80 FF|U|AC|=|EA 0E 00 00|u|11|j|00|j|01 8D 85|\|FE FF FF|P|FF|u|80 FF|U|A8 FF|u|80 FF|U|B4 E9 E7 FE FF FF BB
00 00 DF|w|81 C3 00 00 01 00 81 FB 00 00 00|xu|05 BB 00 00 F0 BF|`|E8 0E 00 00 00 8B|d$|08|dg|8F|"; )
-
And here's one for Slammer:
alert udp any any -> 192.168.169.2/32 1434 (msg: "Honeycomb Fri Jul 18 11h46m33 2003 "; content: "|04 01 01 01 01 01 01
01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01
01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01
01 01 01 01 01 01 01 01 01 01 01 01 DC C9 B0|B|EB 0E 01 01 01 01 01 01 01|p|AE|B |01|p|AE|B|90 90 90 90 90 90 90 90|h
|DC C9 B0|B|B8 01 01 01 01|1|C9 B1 18|P|E2 FD|5 |01 01 01 05|P|89 E5|Qh.dllhel32hkernQhounthickChGetTf|B9|llQh32.dhws2_f
|B9|etQhsockf|B9|toQhsend|BE 18 10 AE|B|8D|E|D4|P|FF 16|P|8D|E|E0|P|8D|E|F0|P|FF 16|P|BE 10 10 AE|B|8B 1E 8B 03|=U
|8B EC|Qt|05 BE 1C 10 AE|B|FF 16 FF D0|1|C9|QQP|81 F1 03 01 04 9B 81 F1 01 01 01 01|Q|8D|E|CC|P|8B|E|C0|P|FF 16|j|11|
j|02|j|02 FF D0|P|8D|E|C4|P|8B|E|C0|P|FF 16 89 C6 09 DB 81 F3|<a|D9 FF 8B|E|B4 8D 0C|@|8D 14 88 C1 E2 04 01 C2 C1 E2 08|
)|C2 8D 04 90 01 D8 89|E|B4|j|10 8D|E|B0|P1|C9|Qf|81 F1|x|01|Q|8D|E|03|P|8B|E|AC|P|FF D6 EB|"; )
Related Publications
Links
- HotNets Talk
- Talk on Honeycomb and Honeypot Technology
- SIGCOMM Poster
- The Honeyd Virtual Honeypot
