How to set up the NoAH infrastructure?
Within the NoAH architecture we can identify the NoAH core and external components. The NoAH core ia a distributed farm of honeypots. Inside we have both low- and high-interaction hon-eypots. Low-interaction honeypots serve as front-end to high-interaction ones and try to offload them from uninteresting traffic, like port scanning activities. High-interaction honeypots are instru- mented machines that run virtual machines as a containment environment. We use Argos as our main containment environment. The components outside the NoAH core are honey@home and funneling/tunneling. Both of them aim at empowering people to participate to NoAH. Honey@home is a lightweight tool that listens an unused IP address and interacts with the NoAH core. All traffic directed to honey@home client is forwarded to the NoAH core, and processed by core honeypots. When an attack is detected, the information gathered by Argos is passed to the signature generator.
In this document we discuss the installation processes of all the components. The purpose of Section 2 is to describe how an administrator sets up Honey@home core. In Sections 3 and 4 we explain how to set up Argos so it runs on the host, and shares the same network enviroment, i.e., the standard dhcp server for the network, using the bridge interfce. First we will describe how to compile and install the emulator, and then discuss how to setup networking. Finally, Section 5 describes the installation process of the Connection Tracker Framework, a standalone application tracking the state of various network protocols up to the application layer. In combination with the attack detection component Argos and the Interface extension it outputs state and history information for any connection reported to carry attack traffic. The Interface will use this information to automatically generate network based signatures.
The purpose of this Section is to describe how an administrator set up Honey@home core with easy steps. It is an effort to glue together the various components and provide a step-by-step guide for installing the components in order to support Honey@home clients. The Honey@home core consists of four components: the SSL server, the modified honeyd, an unmodified MySQL database and the Argos honeypots. The architecture of Honey@home core is displayed at Figure 2.
MySQL database
The MySQL database needs no special configuration. The administrator that wants to setup a Honey@home core has two options. The first one is to setup his own website for registration and his own database to maintain the list of users. For this choice, the scripts for creating the database schemas are provided in the installation tarball. The second option, that is more preferable, is to configure the SSL server to connect to the central Honey@home database. Following this option, he should contact the administrator of the central database so as to get access to the database.
SSL server
The SSL server component is a daemon that handles connection of Honey@home users. It first connects to a MySQL database to verify that connected users are registered. The configuration for database connection information can be modified before installing it. Upon user verification, all received packets from users are sent to the modified honeyd. SSL server can be configured to listen to any port. As it will accept connection from users that communicate through the TOR anonymization system, it is advisable to configure SSL server listening on port 80 in order to avoid conflicts with exit policies of TOR routers. The SSL server needs root privileges in order to run as it injects raw packets to the interface with honeyd. The instructions for building the SSL server can be found at Appendix B.
Get pdf How to set up the NoAH infrastructure?
Related Searches: how to setup networking, interface extension, unused ip, signature generator, lightweight tool
Comments
Leave a Reply
