Data Collection
The honeywall has several methods to collect data from the honeypots. The following
information sources are forged together into a common format called hflow:
??? Argus flow monitor
??? Snort IDS
??? P0f??”passive OS detection
??? Sebek defensive rootkit data from honeypots
??? Pcap traffic capture
Data Analysis
TheWalleye web interface offers an unprecedented level of querying of attack and forensic
data. From the initial attack, to capturing keystrokes, to capturing zero-day exploits
of unknown vulnerabilities, the Walleye interface places all of this information at your
fingertips.
As can be seen in Figure 20-1, the interface is an analyst??™s dream. Although the author
of this chapter served as the lead developer for roo, I think you will agree that this is ???not
your father??™s honeynet??? and really deserves another look if you are familiar with Gen II
technology.
There are many other new features of the roo Gen III Honeynet (too many to list
here) and you are highly encouraged to visit the honeynet.org website for more details
and white papers.
Chapter 20: Collecting Malware and Initial Analysis
505
PART V
Thwarting VMware Detection Technologies
As for the attackers, they are constantly looking for ways to detect VMware and other
virtualization technologies.
Pages:
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883