THP: Tunisian Honeynet Project « Saher-Honeynet » Speaker: Hafidh EL FALEH hafidh.faleh@gmail.com NACS - March 2012 Perimeter of the project The NACS is member of : CERT/CSIRT Services A CSIRT is a team that responds to computer security incidents by providing all necessary services to solve the problem(s) or to support the resolution of them ISAC: Information Sharing and Analysis Center CEWS Architecture ISAC: Information Sharing and Analysis Center THP: Project Histogram Honeywall 2005 2006 2007 2008 2009 2010 2011 Tools used in the current configuration 2500 Public IP 2009-2010 Annually evolution of attacks 2010-2011 Annually evolution of attacks Saher-Honeynet Website: Online statistics www.honeynet.tn Saher-Honeynet Website: « Dashboard » www.honeynet.tn/dashboard Ideas For GSoc 2012 IP Reputation Dadabase Designing and specifying a tool to interface with a lot of honeypot tools (dionaea, glastopf, kippo ..) and provide an update database to cheeck a reputation of any IP address related with her historic logs. Provide an web access (web services) to this tool , automatic getting Ip source and providing information related her reputation historic and sending necessary instructions for cleanning process. Ideas For GSoc 2012 Black-List Generator Create an updated list for malicious domains and hosts from malwares offred. Select Profile of equipments to generate ACL (Firewall, IDS/IPS, Proxy ..) . Designing and specifying techniques for black-list tool. Online sharing of black-list. ISP 2 ISP 1 ISP 3 IDS IDS IDS Update D-IDS Rules Save passive DNS Detection Extract List of Malicious Domains Watch for logs THANKS http://www.honeynet.tn honeynet@ansi.tn Hafidh.faleh@gmail.com http://twitter.com/SaherHoneyNet http://www.linkedin.com/groups/The-Honeynet-ProjectTunisia-chapter