Current setup(s):
=================

http://www.lac.inpe.br/security/honeynet/ or http://www.honeynet.org.br

Our topology remains the same: a GenII with some modifications, and
all control mechanisms based in OpenBSD (pf, sessionlimit and
hogwash).

Honeypots with Solaris, *BSD, Linux and Windows. Some of them with
a modified shell and sebek2, sending logs to a centralized host.

The IP addresses of the honeynet have been changed to a new IP range.


Findings/developments this quarter:
===================================

Developments:
-------------

- using new pf features
  - tables
  - queues for bandwidth limitation

- new version of the bash patch for Linux and *BSD. Sends collected
  data encrypted to the local network which is then captured,
  decrypted and stored by the IDS.
  
- start work on a kernel space's session capture tool for Unix with
  a multiplatform session replay module.

- start work on a network traffic redirect tool to redirect malicious
  traffic from production servers to honeypots.

Malicious Activities:
---------------------

- some blackhat tools captured.  New rootkits were used to
  upgrade the chkrootkit tool (http://www.chkrootkit.org/).

- popup SPAM remain very popular.

- kuang related activity -- 14 variants of malware captured
  trying to upload themselves to kuang infected machines
                                                                                    

Presentations:
--------------

- "Honeynets Applied to the CSIRT Scenario", presented at the
    15th Annual Computer Security Incident Handling Conference,
    (Ottawa, Canada), June, 2003.
    http://www.first.org/conference/2003/

Plans for next quarter:
=======================

- continue the sessionlimit development.
- continue session capture tool development.
- continue traffic redirect tool development.
- start implementation of honeypot activities analysis environment.

### 2003-2.txt ends here.