Hello, I'm a student doing a study allowance at a antivirus company.
I want to create a virtual environment to watch the behavior of different
kind of malware under windows os.
I'm using VMware to deploy a honeynet with the honeywall CDROM
roo-1.0.hw-189.iso
There're 3 Windows systems and a fourth system wich is the honeywall. I have
an automatized process on wich I infect the Windows virtual machines and let
the malware play around during 15 minutes. Next, the machines turn off
without saving changes and start again with another set of malware progs...
anyway, the point is that I want to:
1. Store all info that the honeywall can capture to a database in a external
machine.
This is really not currently possible because only half of the information
is in the database. look for enhancements in the future to resolve these
issues.
2. Further, I want to analyze this data with the Honeynet Security Console.
currently HSC does not support the new schema format. Look for this in
future versions.
Due to the nature of my company all the data I can extract could be of use.
My question(s):
If I'm understanding well, the honeywall has a database (hflow). The
database wich is going to use Walleye.
Has this database all the information that I want or should I gather it from
the different log files?
The information is in both the database and in log files. you really need
both.
If the answer is yes, then all I have to do is copy the data in this
database to another database in the external machine, wich is going to have
the Honeywall Security Console schema. So...How can I export the data to the
database in the external machine (probably, the administration host)??
Once support for distributed honeynets is supported within roo, you will see
more advanced distributed features within HSC.
Another little question: ALL the information means the data from Snort
(snort-inline), Sebek, iptables, p0f and argus. Am I right??
Hello, I'm a student doing a study allowance at a antivirus company.
I want to create a virtual environment to watch the behavior of different
kind of malware under windows os.
I'm using VMware to deploy a honeynet with the honeywall CDROM
roo-1.0.hw-189.iso
There're 3 Windows systems and a fourth system wich is the honeywall. I have
an automatized process on wich I infect the Windows virtual machines and let
the malware play around during 15 minutes. Next, the machines turn off
without saving changes and start again with another set of malware progs...
anyway, the point is that I want to:
1. Store all info that the honeywall can capture to a database in a external
machine.
This is really not currently possible because only half of the information
is in the database. look for enhancements in the future to resolve these
issues.
2. Further, I want to analyze this data with the Honeynet Security Console.
currently HSC does not support the new schema format. Look for this in
future versions.
Due to the nature of my company all the data I can extract could be of use.
My question(s):
If I'm understanding well, the honeywall has a database (hflow). The
database wich is going to use Walleye.
Has this database all the information that I want or should I gather it from
the different log files?
The information is in both the database and in log files. you really need
both.
If the answer is yes, then all I have to do is copy the data in this
database to another database in the external machine, wich is going to have
the Honeywall Security Console schema. So...How can I export the data to the
database in the external machine (probably, the administration host)??
Once support for distributed honeynets is supported within roo, you will see
more advanced distributed features within HSC.
Another little question: ALL the information means the data from Snort
(snort-inline), Sebek, iptables, p0f and argus. Am I right??
<http://abejaruco82.stumbleupon.com/about/>
[ reply ]