Current setup(s):
=================

http://www.lac.inpe.br/security/honeynet/

Our topology remains the same: a GenII with some modifications, and
all control mechanisms based in OpenBSD (pf, sessionlimit and
hogwash).

Honeypots with Solaris, *BSD, Linux and Windows.  Some of them with
a modified shell, sending logs to a centralized syslog.

Findings/developments this quarter:
===================================

Developments:
-------------

- one year of collected data!  This data will be processed, with some
  tools we're developing, to better understand the last year
  activities and trends observed.

- new version of sessionlimit (0.3), adapted to run with OpenBSD
  3.3-beta.

- SMS notification: some alert categories are now also being sent to
  the members cell phones as SMS messages.

Malicious Activities:
---------------------

- lots of OpenSSL compromises.

- lots of blackhat tools captured.  Some new rootkits were used to
  upgrade the chkrootkit tool (http://www.chkrootkit.org/).

- popup SPAM remain very popular.

- Windows 2000 compromise
  - used as a DNS and Warez server.
  - operated with "Remote Desktop Control" tools.

Papers:
-------

- "Honeynets Applied to the CSIRT Scenario", to be presented at the
    15th Annual Computer Security Incident Handling Conference,
    (Ottawa, Canada), June, 2003.
    http://www.first.org/conference/2003/

Plans for next quarter:
=======================

- Deploy an AIX honeypot.
- use Sebek2.
- continue the sessionlimit development.

### 2003-1.txt ends here.