Update

This month I'm going to put a lot of effort into this project. I should have a simple EarlyBird beta by March. Stay tuned for rapid development.

-Chris

Releases

Papers

EarlyBird Collector

Development

Summary Page
Releases
CVS Tree


Project Members
Maetrics
Setuid
Team Violating

Links
  • Violating Networks
  • Gomisquad

    Other Projects

  • Freedom of Information Hack
  • Saint Lawless Project
  • Delicious and Malicious Code Analysis
  • Bait & Switch Honeypot
  • BigEye Honeypot

  • All your base Are belong to us

    π
    Warhol Honeypot Project

    Honeypots is the latest trend in security to climb up the hype curve. There are already plenty of honeypot projects being used to lure and study script kiddies. Most of these honeypots distinguish themselves by thier ability to emulate services and Operating Systems. The Warhol project is unique in that, instead of playing a cat and mouse game with script kiddies, it specifically targets and captures mobile code.

    The ultimate goal of this project is to create a turn-key sensor that can detect, capture, and alert the presense of fast spreading mobile code within 15 minutes of initial infection on the internet. To do this, the project will need to be able to determine an abnormal increase of traffic to a port, generate an emulator, and deploy it for capturing data. It will also need to include bells and whistles found in other honey pots, including the ability to borrow unused IP addresses, spoof Operating Systems, and automatically update its emulators.


    Project Focus

    eBird

    EarlyBird, or eBird, is our generic collector. The EarlyBird gets the worm. The eBird is designed to be sommoned by inetd and logs all the information to and from the emulator. When loaded, eBird will fork the selected emulator and communicate to it using stdio. This method allows the emulator to be built in anylanguage, and thus increases the number of potential developers.

    Using a configuration file, eBird will first look for an emulator for the port that eBird is listening. If there are mutliple emulators for the particular service, eBird will select a random emulator for that service. If there are no emultors for the service, eBird will react to what the client does. If the client does not send any data, eBird will select a random emulator that is "server initated". Otherwise, if the client does send data, eBird will select a random emulator that is "client initiated" and understand the initial client data.

    Once a compatable emulator is selected, eBird will record and proxy communications between the emulator and the client. Once the communications is finished, eBird will calculate a hash from only the client side data. If this hash does not match a previous client hash, it will be tagged as a new event. EarlyBird will then alert the admin with a dump of both the client and emulator traffic.