Section 1: Install and run BackOfficerFriendly ( A free Honeypot) on your virtual WinXP machineSection 2: The Homemade Honeypot using Netcat as a Port SnifferPart 3B:Section 5: Scan of the Month ChallengeJust running snort with rules, as done above, will log only the packets that have signatures that match one of the rules, they will be logged in /var/log/snort. You can also output the alerts to the screen withConfiguring Snort:Writing Snort Rules:Section 7: Advanced uses of EtherealList details such as Time of attack (start, end and duration), Source IPs, Target IPs, Hacker’s activities and Service of the targetEnlist details such asInstall libmhash:Install aide:Section 1: Install and run BackOfficerFriendly ( A free Honeypot) on your virtual WinXP machineSection 2: The Homemade Honeypot using Netcat as a Port SnifferSection 5: Scan of the Month ChallengeQ5.1: What is the attacker's IP address? (Hint: You will need to convert from Hex to decimal)Section 7: Advanced uses of EtherealList details such as Time of attack (start, end and duration), Source IPs, Target IPs, Hacker’s activities and Service of the targetEnlist details such asHow long did it take you to complete this lab? Was it an appropriate length lab?ECE 4112 Internetwork SecurityLab 7: Honeypots and Network Monitoring and ForensicsGroup Number: _______________Member Names: _________________________ _________________________Date Assigned: March 1, 2005Date Due: March 8, 2005Last Edited: November 16, 2004Please read the entire lab and any extra materials carefully before starting. Be sure tostart early enough so that you will have time to complete the lab. Answer ALL questionsand be sure you turn in ALL materials listed in the Turn-in Checklist ON or BEFOREthe Date Due. Goal: To understand the concept of a Honeypot and how it can prove useful toadministrators and network professionals when correctly implemented inside theirnetwork topology. Also covered in the lab is he concept of Forensics, which is a way oflooking at data you’ve collected in order to find out what sort of exploit was run on yourmachine. Summary: In this lab you will first set up a couple of different honeypots, oneon Windows and then one on Linux, to monitor network traffic and look for anythingsuspicious. You will also use snort to log data and as an Intrusion Detection System. Onthe forensics side you will examine a few files of captured data from real attacks and seeif you can find out what was going on. Finally you will look at a forensic tool and seesome of its uses.Background and Theory: What is a honeypot? A honeypot is a system whose value lies in being probed, attacked, or otherwise taken advantage of by a blackhat. This idea may sound somewhat counterintuitive at first; why would we want togive one of our valuable systems over to the other side? [1]The answer to this question depends on what we are trying to accomplish.Spitzner classifies honeypot solutions into two broad categories: production and research.For research purposes, we simply want to collect as much information on our attackers aspossible. Production systems are generally used as an added layer of network security.The value of any network security device can be quickly disseminated when oneconsiders the three keys to network security: prevention, detection, and response.Consider “The Burglar Alarm Analogy:” Deadbolting your front door is a way to preventthieves from entering. A security alarm can detect that thieves got past the deadbolt1indicating that the preventative measures were not successful. With any luck, yoursystem dials the police who then respond by showing up at your house with guns blazing.[1]A honeypot is the electronic equivalent of an unlocked door, so we can’t expect itto add much to the protection layer. It is in the detection of unwanted intruders that ahoneypot adds the most value. There is one important reason for this. A honeypot, bydefinition, should have no legitimate traffic. Consider how much information an IDSsystem has to sift through, or how many packets are seen by your router or firewall in oneday. Entirely too much to sit and watch go by on the wire. If you’re hacked, it will benearly impossible to find the source of the attack with these more conventional networksecurity devices. A honeypot, on the other hand, will collect very little information overthe course of a day, but it’s likely that all of that information has some sort of value to anetwork administrator. Later in the lab you will see how versatile a honeypot can be incollecting data, whether one is just looking for source and destination ports of scans ontheir network or want to capture the keystrokes and tools of an attacker for furtheranalysis. [1]The value added by a honeypot to the response layer of network security (whichcan be significant) is beyond the scope of this lab. There are numerous whitepapersavailable on the Internet for those who find themselves interested in the subject. [1]Appropriate websites are listed at the end of this lab.It’s fairly easy to see how a production honeypot might help a company who hasbeen the victim of past attacks, and how a research honeypot might help the securitycommunity to analyze the tools and tactics of the blackhat community. What remains tobe seen, however, is what sets the two categories apart in terms of the construction,functionality, and topology of the honeypot systems we’d like to deploy. [1]Traditionally, production honeypots are thought of as simpler and more intuitivethan research honeypots, and rightly so. Most network administrators care less about thetactics employed by a hacker and more about the immediate security concerns of theirnetwork. A primary goal of a production honeypot, then, is to provide an alert thatsomething might be amiss [1]. This affords system administrators the freedom to selectfrom several commercially available (and sometimes free) honeypot solutions. Examplesof such solutions that are currently available include BackOfficerFriendly, Specter, andhoneyd.Spitzner classifies these three tools as “low-interaction” honeypots [1]. When wedefine a honeypot as low interaction, we are referring to how much operability we plan toleave on the victim box for an attacker to play with. Consider the