nacs - march 2012 thp: tunisian honeynet project « saher-honeynet » speaker: hafidh el faleh...
TRANSCRIPT
![Page 1: NACS - March 2012 THP: Tunisian Honeynet Project « Saher-Honeynet » Speaker: Hafidh EL FALEH hafidh.faleh@gmail.com](https://reader030.vdocuments.site/reader030/viewer/2022032612/56649eac5503460f94bb29ad/html5/thumbnails/1.jpg)
NACS - March 2012
THP: Tunisian Honeynet Project « Saher-Honeynet »
Speaker: Hafidh EL FALEH
![Page 2: NACS - March 2012 THP: Tunisian Honeynet Project « Saher-Honeynet » Speaker: Hafidh EL FALEH hafidh.faleh@gmail.com](https://reader030.vdocuments.site/reader030/viewer/2022032612/56649eac5503460f94bb29ad/html5/thumbnails/2.jpg)
Perimeter of the project
The NACS is member of :
![Page 3: NACS - March 2012 THP: Tunisian Honeynet Project « Saher-Honeynet » Speaker: Hafidh EL FALEH hafidh.faleh@gmail.com](https://reader030.vdocuments.site/reader030/viewer/2022032612/56649eac5503460f94bb29ad/html5/thumbnails/3.jpg)
A CSIRT is a team that responds to computer security incidents by providing all necessary services to solve the problem(s) or to support the resolution of them
CERT/CSIRT Services
ISAC: Information Sharing and Analysis Center
![Page 4: NACS - March 2012 THP: Tunisian Honeynet Project « Saher-Honeynet » Speaker: Hafidh EL FALEH hafidh.faleh@gmail.com](https://reader030.vdocuments.site/reader030/viewer/2022032612/56649eac5503460f94bb29ad/html5/thumbnails/4.jpg)
CEWS Architecture
![Page 5: NACS - March 2012 THP: Tunisian Honeynet Project « Saher-Honeynet » Speaker: Hafidh EL FALEH hafidh.faleh@gmail.com](https://reader030.vdocuments.site/reader030/viewer/2022032612/56649eac5503460f94bb29ad/html5/thumbnails/5.jpg)
ISAC: Information Sharing and Analysis Center
![Page 6: NACS - March 2012 THP: Tunisian Honeynet Project « Saher-Honeynet » Speaker: Hafidh EL FALEH hafidh.faleh@gmail.com](https://reader030.vdocuments.site/reader030/viewer/2022032612/56649eac5503460f94bb29ad/html5/thumbnails/6.jpg)
Honeywall
2005 2006 2007 2008 2009 2010 2011
THP: Project Histogram
![Page 7: NACS - March 2012 THP: Tunisian Honeynet Project « Saher-Honeynet » Speaker: Hafidh EL FALEH hafidh.faleh@gmail.com](https://reader030.vdocuments.site/reader030/viewer/2022032612/56649eac5503460f94bb29ad/html5/thumbnails/7.jpg)
Tools used in the current configuration
2500 Public IP
![Page 8: NACS - March 2012 THP: Tunisian Honeynet Project « Saher-Honeynet » Speaker: Hafidh EL FALEH hafidh.faleh@gmail.com](https://reader030.vdocuments.site/reader030/viewer/2022032612/56649eac5503460f94bb29ad/html5/thumbnails/8.jpg)
2009-2010Annually evolution of attacks
![Page 9: NACS - March 2012 THP: Tunisian Honeynet Project « Saher-Honeynet » Speaker: Hafidh EL FALEH hafidh.faleh@gmail.com](https://reader030.vdocuments.site/reader030/viewer/2022032612/56649eac5503460f94bb29ad/html5/thumbnails/9.jpg)
2010-2011Annually evolution of attacks
![Page 10: NACS - March 2012 THP: Tunisian Honeynet Project « Saher-Honeynet » Speaker: Hafidh EL FALEH hafidh.faleh@gmail.com](https://reader030.vdocuments.site/reader030/viewer/2022032612/56649eac5503460f94bb29ad/html5/thumbnails/10.jpg)
Saher-Honeynet Website: Online statisticswww.honeynet.tn
![Page 11: NACS - March 2012 THP: Tunisian Honeynet Project « Saher-Honeynet » Speaker: Hafidh EL FALEH hafidh.faleh@gmail.com](https://reader030.vdocuments.site/reader030/viewer/2022032612/56649eac5503460f94bb29ad/html5/thumbnails/11.jpg)
Saher-Honeynet Website: « Dashboard »www.honeynet.tn/dashboard
![Page 12: NACS - March 2012 THP: Tunisian Honeynet Project « Saher-Honeynet » Speaker: Hafidh EL FALEH hafidh.faleh@gmail.com](https://reader030.vdocuments.site/reader030/viewer/2022032612/56649eac5503460f94bb29ad/html5/thumbnails/12.jpg)
Ideas For GSoc 2012
IP Reputation Dadabase Designing and specifying a tool to interface with a lot of
honeypot tools (dionaea, glastopf, kippo ..) and provide an update database to cheeck a reputation of any IP address related with her historic logs.
Provide an web access (web services) to this tool , automatic getting Ip source and providing information related her reputation historic and sending necessary instructions for cleanning process.
![Page 13: NACS - March 2012 THP: Tunisian Honeynet Project « Saher-Honeynet » Speaker: Hafidh EL FALEH hafidh.faleh@gmail.com](https://reader030.vdocuments.site/reader030/viewer/2022032612/56649eac5503460f94bb29ad/html5/thumbnails/13.jpg)
Ideas For GSoc 2012
Black-List Generator Create an updated list for malicious domains and
hosts from malwares offred. Select Profile of equipments to generate ACL
(Firewall, IDS/IPS, Proxy ..) . Designing and specifying techniques for black-list
tool. Online sharing of black-list.
![Page 14: NACS - March 2012 THP: Tunisian Honeynet Project « Saher-Honeynet » Speaker: Hafidh EL FALEH hafidh.faleh@gmail.com](https://reader030.vdocuments.site/reader030/viewer/2022032612/56649eac5503460f94bb29ad/html5/thumbnails/14.jpg)
ISP 1
IDS
ISP 2
IDSISP 3
IDS
Extract List ofMalicious Domains
Update D-IDS Rules
Watch for logs
1
2
3 Save passive DNS Detection
![Page 15: NACS - March 2012 THP: Tunisian Honeynet Project « Saher-Honeynet » Speaker: Hafidh EL FALEH hafidh.faleh@gmail.com](https://reader030.vdocuments.site/reader030/viewer/2022032612/56649eac5503460f94bb29ad/html5/thumbnails/15.jpg)
THANKShttp://www.honeynet.tn
[email protected]@gmail.com
http://twitter.com/SaherHoneyNet
http://www.linkedin.com/groups/The-Honeynet-Project-Tunisia-chapter