HoneyC / News: Recent posts

HoneyC has moved to the honeynet alliance infrastructure. You can access the new web site at http://www.nz-honeynet.org/honeyc.html.

HoneyC 1.2.0 comes with a snort rule permutator that allows to counter obfuscation attempts by the bad guys. It inputs existing snort rules, encodes each content value (using various schemes), and outputs a new Snort Rule with this encoded content value. If a malicious web page uses the same encoding scheme, you now have a rule that can match on it. Check it out the details (execute ‘ruby analysisEngine\SnortRulePermutator.rb –help’) and let me know what you think.

HoneyC 1.2.0 was released today. It contains some cool new features. First, I have extended the Snort rules to support an new tag that is designed to match on content with an http response header. This should allow to create more fine grain rules with an overall lower false positive rate. Second, I added a simple tool that allows to permutate rules. This is aimed at countering some simple obfuscation attempts by the bad guys. Also, the release contains many bug fixes. See release notes for details.

I have just released HoneyC version 1.1.6, which fixes the failing unit test. It also fixes a bug in the snort rule parser. See release notes for details.
Cheers -
Christian

Currently the unit tests on verion 1.1.5 fail. This will be fixed ASAP. However, I want to give you some background info on why that is.
The unit test that is failing is the YahooSearchAPI test. One test makes a query for "google" and expects that "www.google.com" is returned. However, Yahoo's search index must have changed, so it returns "calendar.google.com" instead of "www.google.com". This is why the test is failing.
It doesnt indicate that the functionality of HoneyC is broken. Rather it points to a badly designed test, which will be fixed here shortly.
Sorry about that.
- Christian

In order to generate urls for HoneyC to visit, one way is to specify search queries with the yahoo search api component. As you are interested in visiting more sites, it might become difficult to come up with unique search terms as the yahoo search api is restricted to return 1000 results per query. I came across a nice online tool by Google that makes the job easier. Simply enter one search term, and it will return dozens of related ones. It can be found here: https://adwords.google.com/select/KeywordToolExternal.

HoneyC 1.1.5 was released today. It mostly contains bug fixes and small feature requests (hence only an increase in the bug fix version). See release notes for the details.

HoneyC 1.1.4 was released today. It mostly contains bug fixes and one small feature request (hence only an increase in the bug fix version). See release notes for the details.

HoneyC 1.1.3 was released today. It mainly contains a refactor of the snort rules analysis engine which should make it more compatible to the actual snort rules format. It also contains some bug fixes and performance enhancements. Please refer to the release notes for details.

I added a help forum to the HoneyC sourceforge page. Please use it to discuss any issues around understanding, installation, or running of HoneyC you might have.
Thanks-
Christian

With HoneyC 1.1.2, we have added threading to the web browser, so web pages could be retrieved concurrently, which is expected to have great performance impacts. I have done some performance tests to find the optimum value for the number of threads. I retrieved 500 pages (using a short constant rule set) repeatedly varying the thread count. The results are:
1 thread - 2027 seconds
5 threads - 1316 seconds
10 threads - 1036 seconds
20 threads - 675 seconds
30 threads - 640 seconds
40 threads - 545 seconds
50 threads - 500 seconds
While this shows a continued downward trend, I suppose at a certain point in time the overhead of threading will reverse the trend. Also, the urls I used were all good urls. The performance footprint might change if there are more broken or timeout urls included in the set. As such, I recommend that you test several values for threads in order to find the optimum value for your environment (as connection speed, number of rules, processor power, and characteristics of url are likely to influence the optimum value). With the next version of HoneyC (this is already in the repository), the browser thread value will be configurable via the WebBrowser configuration file.
Cheers -
Christian

HoneyC 1.1.2 was released today. It contains a new queuer "ListQueuer" that allows to pass in lists of urls to visit (good if you would like to use HoneyC to mine SPAM emails). Also it contains bug fixes and performance enhancements. See release notes for details.

Use HoneyC to track down servers that host VML IE exploits (OSVDB ID 28946, CVE-2006-4868). This vulnerability allows to execute arbitrary code. Currently no patch exists.
The signature I am using to track this down is:
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"Arbitrary code execution attempt through MSIE VML Vulnerability"; flow:established,from_server; content:"v:rect"; nocase; content:"urn:schemas-microsoft-com:vml"; nocase; pcre:"/fill method="[^>][^>][^>][^>][^>][^>][^>][^>][^>][^>][^>][^>][^>][^>][^>][^>][^>][^>][^>][^>][^>][^>][^>][^>][^>][^>][^>][^>][^>][^>][^>][^>][^>][^>][^>][^>][^>][^>][^>][^>][^>][^>][^>][^>][^>][^>][^>][^>][^>][^>][^>][^>][^>][^>][^>][^>][^>][^>][^>][^>][^>][^>][^>][^>][^>][^>][^>][^>][^>][^>][^>][^>][^>][^>][^>][^>][^>][^>][^>][^>][^>][^>][^>][^>][^>][^>][^>][^>][^>][^>][^>][^>][^>][^>][^>][^>][^>][^>][^>][^>][^>][^>][^>][^>][^>][^>][^>][^>][^>][^>][^>][^>][^>][^>][^>][^>][^>][^>][^>][^>][^>][^>][^>][^>][^>][^>][^>][^>][^>][^>][^>][^>][^>][^>][^>][^>][^>][^>][^>][^>][^>][^>][^>][^>][^>][^>][^>][^>][^>][^>][^>][^>][^>][^>][^>][^>][^>][^>][^>][^>][^>][^>][^>][^>][^>][^>][^>][^>][^>][^>][^>][^>][^>][^>][^>][^>][^>][^>][^>][^>][^>][^>][^>][^>][^>][^>][^>][^>][^>][^>][^>][^>][^>][^>][^>][^>][^>][^>][^>][^>][^>][^>][^>][^>][^>][^>][^>][^>][^>][^>][^>][^>][^>][^>][^>][^>][^>][^>][^>][^>][^>][^>][^>][^>][^>][^>][^>][^>][^>][^>][^>][^>][^>][^>][^>][^>][^>][^>][^>][^>]/i"; reference:url,www.osvdb.org/28946; classtype:trojan-activity; sid:3400002; rev:1; )

Since Yahoo Search API restricts a query to 100 results, you need to create a long list of keywords to cover a large quantity of sites. I came across a tool that assists in coming up with a list of related keywords once a keyword is provided. You can find it at http://inventory.overture.com/d/searchinventory/suggestion/.

HoneyC 1.1.1 was released today. It contains proxy support for the yahoo search queuer module. See release notes for details.

HoneyC 1.1.0 was released today. Major changes include proxy support and extended Snort Rules support, which should allow to utilize the majority of bleeding snort malware rules. See release notes for details.

Christian has written a short paper on HoneyC. It can be accessed from his research blog: http://www.mcs.vuw.ac.nz/~cseifert/blog/index.php. Comments would be greatly appreciated.

HoneyC 1.0.5 was released today. It contains bug fixes only. See release notes for details.

Also, we have added our requirements and functional test cases (including test execution results) to the svn repository.

This should be the last bug fix release for this feature version. Expect a feature release in the next couple of weeks that enhances the Snort rules parser for compatibility with bleeding snort rules. Also, we are planning to add some Snort rules that resulted from our analysis of client side exploits.

HoneyC 1.0.4 was released today. It contains bug fixes only. See release notes for details.

HoneyC 1.0.3 was released today. It contains bug fixes only. See release notes for details.

HoneyC 1.0.2 was released today. It contains bug fixes only. See release notes for details

HoneyC 1.0.1 was released today. It contains bug fixes only. See release notes for details.

HoneyC 1.0.0 was released today. This first version of the low interaction client honeypot framework includes component modules that allow searching for malicious web servers based on snort signatures. It can be downloaded from http://prdownloads.sourceforge.net/honeyc/HoneyC-1.0.0.zip?download.

If you would like to test HoneyC, we recommend running HoneyC against the Browser Fun demonstration exploits at http://browserfun.blogspot.com/.

The HoneyC home page is up and running. It will be the primary way of the project to interface with the community providing news, releases, and general documentation.
HoneyC is a low interaction client honeypot that allows to search and identify malicious servers on the web with a variety of emulated clients.