[unisog] Worm Detection Tools

Darden, Patrick S. darden at armc.org
Mon Sep 24 12:22:10 GMT 2007 

Hi Dave,

I think what you are looking for is HoneyD.  HoneyD is an Open Source project that allows one PC/server to emulate over 65,000 virtual PCs/servers.  You can have each one emulating a different OS, offering different services.  E.g.:

1 PC with 1,000 IP addresses
	ip1	win nt 4.0, ftp, cifs, iis
	ip2	red hat 9, smtp, pop, imap
	ip3	solaris 9, xwindows, nfs, ftp
	.
	.
	.

You can find information about it here:  http://www.honeyd.org/

Basically, it works on Unix/Linux/Windows.  It uses pre-made templates to help automate honeypot creation.  It responds to Nmap fingerprinting etc. appropriately, so nmap thinks ip1 above is a win nt 4.0 machine.  The services are served by scripts, so pop, telnet, smtp, http, etc. respond appropriately (correct responses are emulated).

It also includes "backdoor" honeypot scripts.  So if you want to emulate a machine that has been compromised by the Kuang2 virus, you can.

--Patrick Darden


-----Original Message-----
From: unisog-bounces at lists.dshield.org
[mailto:unisog-bounces at lists.dshield.org]On Behalf Of David Lundy
Sent: Friday, September 21, 2007 5:22 PM
To: UNIversity Security Operations Group
Subject: [unisog] Worm Detection Tools


Shortly after the worm onslaught of Fall 2003, we beta tested WormScout.
This product sets up internal honeypot addresses and does TCP resets to
IP addresses showing worm activity.  We have been very happy with this
product.  It has since morphed into CounterAct which includes additional
capabilities and is a product of ForeScout.  Unfortunately this morph
has involved an increased price that puts it out of range for us.

I am interested in what others are using in this IPS space, whether
commercial or open source.

Thanks.

Dave

------------------------------------------------
David Lundy
Assistant IT Security Officer
University of the Pacific
Stockton, CA 95211
Email: dlundy at pacific.edu

_______________________________________________
unisog mailing list
unisog at lists.dshield.org
https://lists.sans.org/mailman/listinfo/unisog

More information about the unisog mailing list