Network Scanning - Operation

4.2.1 Objectives and R equirem ents

The purpose o f the tables connected with the operation o f the system is to provide the user a convenient place to store the desired traits and functionality and monitor the various modules without additional input from the user. While gathering the user input could have been accomplished through a complex command line statement or a configuration file, database tables provide the user a view o f the required information and

the necessary format. The database also allows the user to change the functionality o f the system on-the-fly by updating the operational tables.

4.2.2 Design and Im plem entation

There are three tables specifically dedicated with the operational duties o f the system: config, threads and honeypot updates.

config

The config table contains all the necessary information for the startup and operations o f the system and its modules. Some o f the database entries are for files which Honeyd uses to emulate different OSs, determine how to react to ICMP fingerprinting, and create dynamic templates. Though Honeyd is not currently deployed from this system, the database entries are in place to add in a small section o f code to make it possible.

• eth_interface

- Ethernet interface that the active and passive will utilize to gather information

• mac_addr

- MAC address o f the Ethernet interface which will allow the scanning modules to filter out any communication with the system

• d h c p se rv e r

- Allows the honeypot scanner to request, renew or release IP addresses for the low interaction honeypots

• p O fo s

- File location for ps.of for deploying Honeyd

• n m a p e x e

- Application for a ctiv escan n er to pass to n m a p jn ysq l

• nmap_prints

- File location for nmap.prints for deploying Honeyd

• n m a p asso c

- File location for nmap.assoc for deploying Honeyd

• n m a p x m l

- Output location for nmap XML file

• xprobe2_conf

- File location for xprobe2.conf for deploying Honeyd

• xprobe2_xml

- Output location for xprobe2 XML file

• honeypot_xml

- Output location for honeypot XML configuration file

• h o n ey d co n fig

- Output location for Honeyd configuration file

• honeyd_ip_binding

- Enables the user to choose which IP addresses are used in the Honeyd configuration file, discussed in section 3.4.2 Design and Implementation

• honeyd_ip_range

- IP range that the user determines to use for the low interaction honeypot, used in conjunction with iD and iR o f the h o n e y d ip b in d in g .

o iD, the low interaction honeypot will retain the same last octet as the system scanned but will use the first three octets o f the honeyd ip range IP address,

o iR, will begin configuring the low interaction honeypots with the beginning IP address in the range and will terminate if the range has been filled

• scan_ip_range

- IP subnet from which the system will be gathering information to create configuration files

• initial_deployment

- Number o f identified devices to generate initial configuration files

• p ercentchange

- Change in percent value that needs to occur before subsequent generation o f the configuration files

• noise

- Amount o f noise that user deems acceptable to introduce to the network with the passive and active scanning modules, discussed in section 3.2.2 Design and Implementation activejscanner

• a c tiv e sc a n se c o n d s

- Number o f seconds between active scanning sessions which aids in regulating the noise introduced to the network

- Timeframe in which devices need to be identified or updated to be included in the configuration files which keeps the honeypots relevant to the current network

• d a tecreated

- Date that the table was created

threads

The threads table aids in monitoring the passive scanning modules and the secondary active scanning management program is. Threads acts as a lookup table for the process identification (PID) for pO f jn y s q l, tcpdump j n y s q l and active scanner. Each o f the modules updates the threads table upon being deployed. Honeypot scanner can track

the modules to ensure they are still running, and take necessary actions if a program has terminated.

• th re a d id

- Unique ID for this thread

• th rn a m e

- Name o f the module (tcpdump scan, pO fscan, active scan)

• thr_pid

- Process identification for the thread, which is polled by honeypot scanner to ensure the module has not terminated

• la sttsta m p

- Last timestamp o f the thread's creation

honeypot_ updates

The H oneypotjupdates table contains a continuous record o f all the deployments o f honeypot configuration files. This allows the user to gauge the dynamic nature o f the network environment and identify patterns which can be linked to certain periods o f time or situations. Hours o f network traffic from individual computers can be tracked and incorporated into an anomaly based IDS, cycles in a school year can be recorded, rogue devices on an organization’s network can be traced, and intrusions can be observed by identifying new and unusual open ports on a device.

• u p d a te id

- Unique ID for this honeypot update

• num jnachines

- Number o f total devices identified since predetermined number o f seconds (a c tiv e sc a n se c o n d s)

• num services

- Number o f total services gathered since predetermined number o f seconds (active_scan_seconds)

• d ateu pd ated

- Time and date o f the last update

scanqueue

The scan queue table acts as a queue between the passive scanning modules and active scanner. Scan queue provides a place for the passive scanning program to insert identified computers and allows the active scanner to remove the information to initiate the correct active scanning module. The queue was designed to decrease the need for constant communication and interrupts between the two programs. The queue allows the modules to insert and remove the information as needed.

• s c a n jd

- Unique ID for this device information

• ip a d d r

- IP address o f the identified device

• m a c a d d r

- MAC address o f the identified device

• d atecreated

- Time and date o f the devices identification

• la s tts ta m p tim e

- Last timestamp for seeing the identified device (UNIX time)