Wiki Navigation

← Previous Change
Page History
Next Change →

22.07

Author:: xkovah (IP: 67.171.74.94)
Timestamp:: 02/20/07 13:12:44 (4 years ago)
Comment:: —

Legend:

: Unmodified
: Added
: Removed
: Modified

2007/02/19/22.07

v1	v2
2	2	[http://www.xnos.org/security/web-exploit-finder/introduction.html Xnos Labs' Web Exploit Finder] (WEF) is a relatively new client-side honeypot (begun in the summer of 2006). There are German and English whitepapers [http://www.xnos.org/security/web-exploit-finder/resources.html here] which restates and expands upon information put on the first linked site. The architecture itself is similar to our own though there are differences such as their use of EBJ, JSF, and JBoss on the management side. Other differences come in implementation details such as our exclusive use of perl vs their use of C/C++/Java/J2EE.
3	3
4		Similar to the [http://capture-hpc.sourceforge.net/ Capture] client-side honeypot, they use system call hooking to notify them of events rather than the snapshot-based system that we currently use. While it is clear that such a system is ultimately beneficial for efficiency reasons, we have currently prioritized other aspects such as dealing with active content like Flash and implementing intelligent crawling with link prioritizing. It's hard to say whether WEF will take off though. The students currently say they can only work on it in their spare time. Therefore even though it aims to be open source (though no code has actually been posted yet) it is at a disadvantage in that Capture is sponsored by the Honeynet project, and our own code has a number of full time developers supporting it. Ultimately it seems to me to mostly be students opening up a project which they know has merit but which they can no longer spend time on. However, since all of the major client-side honeypots (except for Microsoft's Honeymonkeys) are open source, I'm sure we will all benefit from some degree of technology transfer in the long run.
5
6		The only real bone I have to pick with this project is that as someone coming from academia, I expect papers to contain references and cite sources. Heck, even if you're coming from the ad-hockery of the hacker scene, you know that even phrack papers contain references. The lack of references on their posted whitepaper is therefore quite strange.
	4	Similar to the [http://capture-hpc.sourceforge.net/ Capture] client-side honeypot, they use system call hooking to notify them of events rather than the snapshot-based system that we currently use. While it is clear that such a system is ultimately beneficial for efficiency reasons, we have currently prioritized other aspects such as dealing with active content like Flash and implementing intelligent crawling with link prioritizing. It's hard to say whether WEF will take off though. The students currently say they can only work on it in their spare time. Therefore even though it aims to be open source (though no code has actually been posted yet) it is at a disadvantage in that Capture is sponsored by the Honeynet project, and our own code has a number of full time developers supporting it. It will still be interesting to see what they can produce though. Also, since all of the major client-side honeypots (except for Microsoft's Honeymonkeys) are open source, I'm sure we will all benefit from some degree of technology transfer in the long run.