Christian Kreibich
ICIR ICSI
ICSI » ICIR » Christian Kreibich » Honeycomb
Honeycomb
Automated signature creation using honeypots

Introduction

Honeycomb is a system for automated generation of signatures for network intrusion detection systems (NIDSs). The system applies protocol analysis and pattern-detection techniques to traffic captured on honeypots. Using traffic on honeypots has the major advantage of concentrating on traffic that can be considered malicious by definition.

Honeycomb is good at spotting worms. For example, Honeycomb creates detailed signatures for Slammer and Code Red (far more detailed than the typical web server request line) on a typical end-user DSL connection. But the system has lots of other potential uses -- it can be applied to any kind of traffic to actively search for signatures when those are currently not available. Examples are all those "Does anyone have a signature for program X"-type of questions on IDS mailing lists -- just run this traffic through Honeycomb and see what you get. Spam detection is another potential application that comes to mind.

The system is an extension of the open-source honeypot honeyd and inspects traffic inside the honeypot; currently it examines protocol headers as well as payload data. Integrating Honeycomb with honeyd has several advantages over a bump-in-the-wire approach:

  • It avoids duplication of effort, as honeyd already uses libpcap to capture the relevant packets,
  • It avoids cold-start issues common to devices like packet normalisers or NIDSs, as honeyd does not just passively listen to traffic but rather emulates hosts answering incoming requests. It hence knows exactly when a new connection is started or terminated.

Availability

Honeycomb should build on at least Linux, FreeBSD and OpenBSD.

Release 0.7 should build with honeyd 1.5 and libevent 1.1. Refer to the README in the tarball for installation instructions.

Results

I'm gathering Honeycomb-generated signatures here to illustrate how detailed some of the signatures generated are. Note that all of these signatures were created automatically, and from repeated intrusions — it is interesting to see just how much overlap there existed among those flows.

  • Here is a signature for the THCIISSLAME.c SSL PCT exploit, submitted by Jose Faial <jcfaial AT terra.com.br> — thanks!

    alert tcp 192.168.1.1/32 any -> 192.168.1.125/32 443 (msg: "Honeycomb SunMay 2 21h51m48 2004 "; flags: PA; flow: established; content: "|80|b|01 02BD 00 01 00 01 00 16 8F 82 01 00 00 00 EB 0F|THCOWNZIIS!2^|BE 98 EB|#zi|0205|lY|F8 1D 9C DE 8C D1|Lp|D4 03 F0|' 0|08|WS2_32.DLL|01 EB 05 E8 F9 FF FFFF|]|83 ED|*j0Yd|8B 01 8B|@|0C 8B|p|1C AD 8B|x|08 8D|_<|8B 1B 01 FB 8B|[x|01FB 8B|K|1C 01 F9 8B|S$|01 FA|SQR|8B|[ |01 FB|1|C9|A1|C0 99 8B|4|8B 01 FEAC|1|C2 D1 E2 84 C0|u|F7 0F B6|E|058D|DE|04|f9|10|u|E1|f1|10|ZX^VPR+N|10|A|0F B7 0C|J|8B 04 88 01 F8 0F B6|M|0589|D|8D D8 FE|M|05|u|BE FE|M|04|t!|FE|M"|8D|]|18|S|FF D0 89C7|j|04|X|88|E|05 80|Ew|0A 8D|]t|80|k&|14 E9|x|FF FF FF 89CE|1|DB|SSSSVFV|FF D0 97|UXf|89|0j|10|UW|FF|U|D4|NVW|FF|U|CC|SUW|FF|U|D0 978D|E|88|P|FF|U|E4|UU|FF|U|E8 8D|D|05 0C 94|Sh.exeh\cmd|94|1|D2 8D|E|CC94|WWWSS|FE C6 01 F2|R|94 8D|ExP|8D|E|88|P|B1 08|SSj|10 FECE|RSSSU|FF|U|EC|j|FF FF|U"; )

  • Here's CodeRed:

    alert tcp 80.0.0.0/8 any -> 192.168.169.2/32 80 (msg: "Honeycomb Mon May 5 16h59m09 2003 "; flags: A; flow: established; content: "u|08 81|~0|9A 02 00 00 0F 84 C4 00 00 00 C7|F0|9A 02 00 00 E8 0A 00 00 00|CodeRedII|00 8B 1C|$|FF|U|D8|f|0B C0 0F 95 85|8|FE FF FF C7 85|P|FE FF FF 01 00 00 00|j|00 8D 85|P|FE FF FF|P|8D 85|8|FE FF FF|P|8B|E|08 FF|p|08 FF 90 84 00 00 00 80 BD|8|FE FF FF 01|thS|FF|U|D4 FF|U|EC 01|E|84|i|BD|T|FE FF FF|,|01 00 00 81 C7|,|01 00 00 E8 D2 04 00 00 F7 D0 0F AF C7 89|F4|8D|E|88|Pj|00 FF|u|08 E8 05 00 00 00 E9 01 FF FF FF|j|00|j|00 FF|U|F0|P|FF|U|D0|Ou|D2 E8|;|05 00 00|i|BD| T|FE FF FF 00|\&|05 81 C7 00|\&|05|W|FF|U|E8|j|00|j|16 FF|U|8C|j|FF FF|U|E8 EB F9 8B|F4)E|84|jd|FF|U|E8 8D 85|<|FE FF FF| P|FF|U|C0 0F B7 85|<|FE FF FF|=|88 88 00 00|s|CF 0F B7 85|>|FE FF FF 83 F8 0A|s|C3|f|C7 85|p|FF FF FF 02 00|f|C7 85|r |FF FF FF 00|P|E8|d|04 00 00 89 9D|t|FF FF FF|j|00|j|01|j|02 FF|U|B8 83 F8 FF|t|F2 89|E|80|j|01|Th~f|04 80 FF|u|80 FF|U |A4|Yj|10 8D 85|p|FF FF FF|P|FF|u|80 FF|U|B0 BB 01 00 00 00 0B C0|tK3|DB FF|U|94|=3'|00 00|u?|C7 85|h|FF FF FF 0A 00 00 00 C7 85|l|FF FF FF 00 00 00 00 C7 85|`|FF FF FF 01 00 00 00 8B|E|80 89 85|d|FF FF FF 8D 85|h|FF FF FF|Pj|00 8D 85|`|FF FF FF|Pj|00|j|01 FF|U|A0 93|j|00|Th~f|04 80 FF|u|80 FF|U|A4|Y|83 FB 01|u1|E8 00 00 00 00|X-|D3 03 00 00|j|00|h|EA 0E 00 00|P|FF|u|80 FF|U|AC|=|EA 0E 00 00|u|11|j|00|j|01 8D 85|\|FE FF FF|P|FF|u|80 FF|U|A8 FF|u|80 FF|U|B4 E9 E7 FE FF FF BB 00 00 DF|w|81 C3 00 00 01 00 81 FB 00 00 00|xu|05 BB 00 00 F0 BF|`|E8 0E 00 00 00 8B|d$|08|dg|8F|"; )

  • And here's one for Slammer:

    alert udp any any -> 192.168.169.2/32 1434 (msg: "Honeycomb Fri Jul 18 11h46m33 2003 "; content: "|04 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 DC C9 B0|B|EB 0E 01 01 01 01 01 01 01|p|AE|B |01|p|AE|B|90 90 90 90 90 90 90 90|h |DC C9 B0|B|B8 01 01 01 01|1|C9 B1 18|P|E2 FD|5 |01 01 01 05|P|89 E5|Qh.dllhel32hkernQhounthickChGetTf|B9|llQh32.dhws2_f |B9|etQhsockf|B9|toQhsend|BE 18 10 AE|B|8D|E|D4|P|FF 16|P|8D|E|E0|P|8D|E|F0|P|FF 16|P|BE 10 10 AE|B|8B 1E 8B 03|=U |8B EC|Qt|05 BE 1C 10 AE|B|FF 16 FF D0|1|C9|QQP|81 F1 03 01 04 9B 81 F1 01 01 01 01|Q|8D|E|CC|P|8B|E|C0|P|FF 16|j|11| j|02|j|02 FF D0|P|8D|E|C4|P|8B|E|C0|P|FF 16 89 C6 09 DB 81 F3|<a|D9 FF 8B|E|B4 8D 0C|@|8D 14 88 C1 E2 04 01 C2 C1 E2 08| )|C2 8D 04 90 01 D8 89|E|B4|j|10 8D|E|B0|P1|C9|Qf|81 F1|x|01|Q|8D|E|03|P|8B|E|AC|P|FF D6 EB|"; )

Related Publications

  • Honeycomb — Creating Intrusion Detection Signatures Using Honeypots pdf

    C. Kreibich and J. Crowcroft. 2nd Workshop on Hot Topics in Networks (HotNets-II), 2003, Boston, USA.
  • Automated NIDS Signature Generation using Honeypots pdf

    C. Kreibich and J. Crowcroft. Poster paper, SIGCOMM 2003, Karlsruhe, Germany.

Links

  • HotNets Talk ppt
  • Talk on Honeycomb and Honeypot Technology pdf
  • SIGCOMM Poster pdf
  • The Honeyd Virtual Honeypot
updated on 27 November 09 | yummy spam, yesss... built with TT | (cc) Christian Kreibich