Virtual Honeypots: From Botnet Tracking to Intrusion Detection (Paperback)
Table of Contents
Preface xiii
Acknowledgments xxi
About the Authors xxiiiChapter 1 Honeypot and Networking Background 1
1.1 Brief TCP/IP Introduction 1
1.2 Honeypot Background 7
1.3 Tools of the Trade 13Chapter 2 High-Interaction Honeypots 19
2.1 Advantages and Disadvantages 20
2.2 VMware 22
2.3 User-Mode Linux 41
2.4 Argos 52
2.5 Safeguarding Your Honeypots 62
2.6 Summary 69Chapter 3 Low-Interaction Honeypots 71
3.1 Advantages and Disadvantages 72
3.2 Deception Toolkit 73
3.3 LaBrea 74
3.4 Tiny Honeypot 81
3.5 GHH-Google Hack Honeypot 87
3.6 PHP.HoP-A Web-Based Deception Framework 94
3.7 Securing Your Low-Interaction Honeypots 98
3.8 Summary 103Chapter 4 Honeyd-The Basics 105
4.1 Overview 106
4.2 Design Overview 109
4.3 Receiving Network Data 112
4.4 Runtime Flags 114
4.5 Configuration 115
4.6 Experiments with Honeyd 125
4.7 Services 129
4.8 Logging 131
4.9 Summary 134Chapter 5 Honeyd-Advanced Topics 135
5.1 Advanced Configuration 136
5.2 Emulating Services 139
5.3 Subsystems 142
5.4 Internal Python Services 146
5.5 Dynamic Templates 148
5.6 Routing Topology 150
5.7 Honeydstats 154
5.8 Honeydctl 156
5.9 Honeycomb 158
5.10 Performance 160
5.11 Summary 161Chapter 6 Collecting Malware with Honeypots 163
6.1 A Primer on Malicious Software 164
6.2 Nepenthes-A Honeypot Solution to Collect Malware 165
6.3 Honeytrap 197
6.4 Other Honeypot Solutions for Learning About Malware 204
6.5 Summary 207Chapter 7 Hybrid Systems 209
7.1 Collapsar 211
7.2 Potemkin 214
7.3 RolePlayer 220
7.4 Research Summary 224
7.5 Building Your Own Hybrid Honeypot System 224
7.6 Summary 230Chapter 8 Client Honeypots 231
8.1 Learning More About Client-Side Threats 232
8.2 Low-Interaction Client Honeypots 241
8.3 High-Interaction Client Honeypots 253
8.4 Other Approaches 263
8.5 Summary 272Chapter 9 Detecting Honeypots 273
9.1 Detecting Low-Interaction Honeypots 274
9.2 Detecting High-Interaction Honeypots 280
9.3 Detecting Rootkits 302
9.4 Summary 305Chapter 10 Case Studies 307
10.1 Blast-o-Mat: Using Nepenthes to Detect Infected Clients 308
10.2 Search Worms 327
10.3 Red Hat 8.0 Compromise 332
10.4 Windows 2000 Compromise 343
10.5 SUSE 9.1 Compromise 351
10.6 Summary 357Chapter 11 Tracking Botnets 359
11.1 Bot and Botnet 101 360
11.2 Tracking Botnets 373
11.3 Case Studies 376
11.4 Defending Against Bots 387
11.5 Summary 390Chapter 12 Analyzing Malware with CWSandbox 391
12.1 CWSandbox Overview 392
12.2 Behavior-Based Malware Analysis 394
12.3 CWSandbox-System Description 401
12.4 Results 405
12.5 Summary 413Bibliography 415
Index 423
#新しい本