THP: Tunisian Honeynet Project
« Saher-Honeynet »
Speaker:
Hafidh EL FALEH
hafidh.faleh@gmail.com
NACS - March 2012
Perimeter of the project
The NACS is member of :
CERT/CSIRT Services
A CSIRT is a team that responds to computer security incidents by providing all
necessary services to solve the problem(s) or to support the resolution of them
ISAC: Information Sharing and Analysis Center
CEWS Architecture
ISAC: Information Sharing and Analysis Center
THP: Project Histogram
Honeywall
2005
2006
2007
2008
2009
2010
2011
Tools used in the current configuration
2500 Public IP
2009-2010
Annually evolution of attacks
2010-2011
Annually evolution of attacks
Saher-Honeynet Website: Online statistics
www.honeynet.tn
Saher-Honeynet Website: « Dashboard »
www.honeynet.tn/dashboard
Ideas For GSoc 2012
IP Reputation Dadabase
 Designing and specifying a tool to interface with a lot of
honeypot tools (dionaea, glastopf, kippo ..) and provide an
update database to cheeck a reputation of any IP address
related with her historic logs.
 Provide an web access (web services) to this tool , automatic
getting Ip source and providing information related her
reputation historic and sending necessary instructions for
cleanning process.
Ideas For GSoc 2012
Black-List Generator
 Create an updated list for malicious domains and
hosts from malwares offred.
 Select Profile of equipments to generate ACL
(Firewall, IDS/IPS, Proxy ..) .
 Designing and specifying techniques for black-list
tool.
 Online sharing of black-list.
ISP 2
ISP 1
ISP 3
IDS
IDS
IDS
Update D-IDS Rules
Save passive DNS Detection
Extract List of
Malicious Domains
Watch for logs
THANKS
http://www.honeynet.tn
honeynet@ansi.tn
Hafidh.faleh@gmail.com
http://twitter.com/SaherHoneyNet
http://www.linkedin.com/groups/The-Honeynet-ProjectTunisia-chapter