The National Plateforme for Tracking Cyber
Attacks :
« SAHER »
By Hafidh EL Faleh
Hafidh.faleh@gmail.com
NACS - 2012
Perimeter of the project
The NACS is member of :
SAHER Objectifs
• Make a dashbord ( Alert Level) of National
Cyberspace.
• Take a platforme support for incident handling,
investigation and legal forensics.
• Devellopement of solutions for traking cyber
attacks with DIDS, Honeypots and deploying
many sensors.
• Monotoring criticals infrastrcture and detect
anomalies into her systems.
SAHER Objectifs
• Supervise Web sites to detects defacements
attacks.
• Maintain a system for malware detection
(virus, botnets, torjans) , and use cordination
to cleanup the National Cyberspace.
• Build an information database for types of
attack, leaks of vulnerability and blackliste.
SAHER est une plateforme à trois couches
Couche WORKFLOW
Couche analyse et corrélation
Couche de collecte et de détection
5
CEWS Architecture
Détection
• SAHER-WEB: ce sont des routines qui ont pour
bute de vérifier l’intégrité des sites Web.
• SAHER-SRV: ce sont des routines qui ont pour
bute de vérifier la disponibilité des serveurs
Web, MAIL et DNS
• Les IDS: des Snorts qui sont généralement
installés dans les espaces d’hébergement WEB.
• Les honeynets: plusieurs solutions de
déférentes types sont disponibles dans le
monde du logiciels libres.
7
Collecte
We need to exchange security events and collaboration to handle incidents:
 Incidents:
 Phishing
 Web defacement
 Scan
 Intrusion
 Spam / Scam
 DoS / DDoS
 Malware:
 Worm spread
 Botnet / C&C
 HoneyNet detection
 Vulnerabilities
 Exploit
 Zero days
 Product vulnerability
ISAC: Information Sharing and Analysis Center
Workflow interne
A CSIRT is a team that responds to computer security incidents by providing all
necessary services to solve the problem(s) or to support the resolution of them
Workflow: Plateforme de coordination
USER
USER
USER
Sensors
TEL
SMTP Server
S1
Incident
pentest
Watch
Veille
tunCERT
mail
mail
TEL
Autres CERT
Central
DB
S2
S3
IDS
DB
S
N
O
R
T
Tel, mail
ISP
Saher-Web: Detection
Saher-IDS: Statistiques
Saher-Honeynet: Architecture et Outils
2500 Public IP
Saher-Honeynet
Annually evolution of attacks
Saher-Honeynet Website: Online statistics
www.honeynet.tn
Saher-Honeynet Website: « Dashboard »
www.honeynet.tn/dashboard
Ideas For Projects
IP Reputation Dadabase
 Designing and specifying a tool to interface with a lot of
honeypot tools (dionaea, glastopf, kippo ..) and provide an
update database to cheeck a reputation of any IP address
related with her historic logs.
 Provide an web access (web services) to this tool , automatic
getting Ip source and providing information related her
reputation historic and sending necessary instructions for
cleanning process.
Ideas For GSoc 2012
Black-List Generator
 Create an updated list for malicious domains and
hosts from malwares offred.
 Select Profile of equipments to generate ACL
(Firewall, IDS/IPS, Proxy ..) .
 Designing and specifying techniques for black-list
tool.
 Online sharing of black-list.
ISP 2
ISP 1
ISP 3
IDS
IDS
IDS
Update D-IDS Rules
Save passive DNS Detection
Extract List of
Malicious Domains
Watch for logs
THANKS
http://www.honeynet.tn
honeynet@ansi.tn
Hafidh.faleh@gmail.com
http://twitter.com/SaherHoneyNet
http://www.linkedin.com/groups/The-Honeynet-ProjectTunisia-chapter