From 4a36d1b78f7ab79b21bfd64b59e2412d1eace9f4 Mon Sep 17 00:00:00 2001 From: Michael Hamm Date: Wed, 3 Jan 2018 10:25:36 +0100 Subject: [PATCH 1/7] Honeypot basic taxonomy --- honeypot_basic/machinetag.json | 54 ++++++++++++++++++++++++++++++++++ 1 file changed, 54 insertions(+) create mode 100644 honeypot_basic/machinetag.json diff --git a/honeypot_basic/machinetag.json b/honeypot_basic/machinetag.json new file mode 100644 index 0000000..0197668 --- /dev/null +++ b/honeypot_basic/machinetag.json @@ -0,0 +1,54 @@ +{ + "namespace": "honeypot_basic", + "description": "Christian Seifert, Ian Welch, Peter Komisarczuk, ‘Taxonomy of Honeypots’, Technical Report CS-TR-06/12, VICTORIA UNIVERSITY OF WELLINGTON, School of Mathematical and Computing Sciences, June 2006, http://www.mcs.vuw.ac.nz/comp/Publications/archive/CS-TR-06/CS-TR-06-12.pdf", + "version": 1, + "predicates": [ + { + "value": "interaction-level", + "expanded": "Interaction Level", + "description": "Describes whether the exposed functionality of a honeypot is limited in some way, which is usually the case for honeypots that simulate services." + }, + { + "value": "interaction-level", + "expanded": "Interaction Level", + "description": "Describes whether the exposed functionality of a honeypot is limited in some way, which is usually the case for honeypots that simulate services." + }, + { + "value": "interaction-level", + "expanded": "Interaction Level", + "description": "Describes whether the exposed functionality of a honeypot is limited in some way, which is usually the case for honeypots that simulate services." + }, + { + "value": "interaction-level", + "expanded": "Interaction Level", + "description": "Describes whether the exposed functionality of a honeypot is limited in some way, which is usually the case for honeypots that simulate services." + }, + { + "value": "interaction-level", + "expanded": "Interaction Level", + "description": "Describes whether the exposed functionality of a honeypot is limited in some way, which is usually the case for honeypots that simulate services." + }, + { + "value": "interaction-level", + "expanded": "Interaction Level", + "description": "Describes whether the exposed functionality of a honeypot is limited in some way, which is usually the case for honeypots that simulate services." + } + ], + "values": [ + { + "predicate": "interaction-level", + "entry": [ + { + "value": "high", + "expanded": "High Interaction Level", + "description": "Exposed functionality of the honeypot is not limited." + }, + { + "value": "low", + "expanded": "low Interaction Level", + "description": "Exposed functionality being limited. For example, a simulated SSH server of a honeypot is not able to authenticate against a valid login/password combination" + } + ] + } + ] +} From 1c15c48c3cde82c9998dc744a6ce3238048ee9bc Mon Sep 17 00:00:00 2001 From: Michael Hamm Date: Wed, 3 Jan 2018 10:40:19 +0100 Subject: [PATCH 2/7] Data Capture added --- honeypot_basic/machinetag.json | 31 ++++++++++++++++++++++++++++--- 1 file changed, 28 insertions(+), 3 deletions(-) diff --git a/honeypot_basic/machinetag.json b/honeypot_basic/machinetag.json index 0197668..5e615a2 100644 --- a/honeypot_basic/machinetag.json +++ b/honeypot_basic/machinetag.json @@ -9,9 +9,9 @@ "description": "Describes whether the exposed functionality of a honeypot is limited in some way, which is usually the case for honeypots that simulate services." }, { - "value": "interaction-level", - "expanded": "Interaction Level", - "description": "Describes whether the exposed functionality of a honeypot is limited in some way, which is usually the case for honeypots that simulate services." + "value": "data-capture", + "expanded": "Data Capture", + "description": "Describes the type of data a honeypot is able to capture" }, { "value": "interaction-level", @@ -49,6 +49,31 @@ "description": "Exposed functionality being limited. For example, a simulated SSH server of a honeypot is not able to authenticate against a valid login/password combination" } ] + }, + { + "predicate": "data-capture", + "entry": [ + { + "value": "events", + "expanded": "Events", + "description": "The honeypot collects data about something that has happened or took place, a change in state." + }, + { + "value": "attacks", + "expanded": "Attacks", + "description": "The honeypot collects malicious activity." + }, + { + "value": "intrusions", + "expanded": "Intrusions", + "description": "The honeypot collects malicious activity that leads to a security failure." + }, + { + "value": "none", + "expanded": "None", + "description": "The honeypot does not collect events, attacks, or intrusions." + } + ] } ] } From c60027f0015b2ce546f4decb7d32a870e895e5c3 Mon Sep 17 00:00:00 2001 From: Michael Hamm Date: Wed, 3 Jan 2018 10:51:34 +0100 Subject: [PATCH 3/7] Containment added --- honeypot_basic/machinetag.json | 31 ++++++++++++++++++++++++++++--- 1 file changed, 28 insertions(+), 3 deletions(-) diff --git a/honeypot_basic/machinetag.json b/honeypot_basic/machinetag.json index 5e615a2..27de311 100644 --- a/honeypot_basic/machinetag.json +++ b/honeypot_basic/machinetag.json @@ -14,9 +14,9 @@ "description": "Describes the type of data a honeypot is able to capture" }, { - "value": "interaction-level", - "expanded": "Interaction Level", - "description": "Describes whether the exposed functionality of a honeypot is limited in some way, which is usually the case for honeypots that simulate services." + "value": "containment", + "expanded": "Containment", + "description": "Classifies the measures a honeypot takes to defend against malicious activity spreading from itself." }, { "value": "interaction-level", @@ -74,6 +74,31 @@ "description": "The honeypot does not collect events, attacks, or intrusions." } ] + }, + { + "predicate": "containment", + "entry": [ + { + "value": "block", + "expanded": "Block", + "description": "Attacker’s actions are identified and blocked. The attack never reaches the target." + }, + { + "value": "defuse", + "expanded": "Defuse", + "description": "The attack reaches the target, but is manipulated in a way that it fails against the target." + }, + { + "value": "slow-down", + "expanded": "Slow Down", + "description": "Attacker is slowed down in his actions of spreading malicious activity." + }, + { + "value": "none", + "expanded": "None", + "description": "No action is taken to limit the intruder’s spread of malicious activity against other systems." + } + ] } ] } From 2c8ad8d4c0cf72679865436fa6df68301964e008 Mon Sep 17 00:00:00 2001 From: Michael Hamm Date: Wed, 3 Jan 2018 10:59:32 +0100 Subject: [PATCH 4/7] Distribution Appearance added --- honeypot_basic/machinetag.json | 21 ++++++++++++++++++--- 1 file changed, 18 insertions(+), 3 deletions(-) diff --git a/honeypot_basic/machinetag.json b/honeypot_basic/machinetag.json index 27de311..fe2253d 100644 --- a/honeypot_basic/machinetag.json +++ b/honeypot_basic/machinetag.json @@ -19,9 +19,9 @@ "description": "Classifies the measures a honeypot takes to defend against malicious activity spreading from itself." }, { - "value": "interaction-level", - "expanded": "Interaction Level", - "description": "Describes whether the exposed functionality of a honeypot is limited in some way, which is usually the case for honeypots that simulate services." + "value": "distribution-appearance", + "expanded": "Distribution Appearance", + "description": "Describes whether the honeypot system appears to be confined to one system or multiple systems." }, { "value": "interaction-level", @@ -99,6 +99,21 @@ "description": "No action is taken to limit the intruder’s spread of malicious activity against other systems." } ] + }, + { + "predicate": "distribution-appearance", + "entry": [ + { + "value": "distributed", + "expanded": "Distributed", + "description": "The honeypot is or appears to be composed of multiple systems." + }, + { + "value": "stand-alone", + "expanded": "Stand-Alone", + "description": "The honeypot is or appears to be one system." + } + ] } ] } From 90afc7121e9efc940638a53aa685353ee66f8904 Mon Sep 17 00:00:00 2001 From: Michael Hamm Date: Wed, 3 Jan 2018 11:09:06 +0100 Subject: [PATCH 5/7] communication-interface added --- honeypot_basic/machinetag.json | 26 +++++++++++++++++++++++--- 1 file changed, 23 insertions(+), 3 deletions(-) diff --git a/honeypot_basic/machinetag.json b/honeypot_basic/machinetag.json index fe2253d..120576b 100644 --- a/honeypot_basic/machinetag.json +++ b/honeypot_basic/machinetag.json @@ -24,9 +24,9 @@ "description": "Describes whether the honeypot system appears to be confined to one system or multiple systems." }, { - "value": "interaction-level", - "expanded": "Interaction Level", - "description": "Describes whether the exposed functionality of a honeypot is limited in some way, which is usually the case for honeypots that simulate services." + "value": "communication-interface", + "expanded": "Communication Interface", + "description": "Describes the interfaces one can use to interact directly with the honeypot." }, { "value": "interaction-level", @@ -114,6 +114,26 @@ "description": "The honeypot is or appears to be one system." } ] + }, + { + "predicate": "communication-interface", + "entry": [ + { + "value": "network-interface", + "expanded": "Network Interface", + "description": "The honeypot can be directly communicated with via a network interface." + }, + { + "value": "hardware-interface", + "expanded": "Non-Network Hardware Interface", + "description": "Examples: Printer port, CDROM drives, USB connections." + }, + { + "value": "software-api", + "expanded": "Software API", + "description": "The honeypot can be interacted with via a software API." + } + ] } ] } From 6b4d2482311b5816818940de97a043655107f526 Mon Sep 17 00:00:00 2001 From: Michael Hamm Date: Wed, 3 Jan 2018 11:14:36 +0100 Subject: [PATCH 6/7] Role in Multi-tier Architecture added --- honeypot_basic/machinetag.json | 21 ++++++++++++++++++--- 1 file changed, 18 insertions(+), 3 deletions(-) diff --git a/honeypot_basic/machinetag.json b/honeypot_basic/machinetag.json index 120576b..1a02d93 100644 --- a/honeypot_basic/machinetag.json +++ b/honeypot_basic/machinetag.json @@ -29,9 +29,9 @@ "description": "Describes the interfaces one can use to interact directly with the honeypot." }, { - "value": "interaction-level", - "expanded": "Interaction Level", - "description": "Describes whether the exposed functionality of a honeypot is limited in some way, which is usually the case for honeypots that simulate services." + "value": "role", + "expanded": "Role in Multi-tier Architecture", + "description": "Describes in what role the honeypot acts within a multi-tier architecture." } ], "values": [ @@ -134,6 +134,21 @@ "description": "The honeypot can be interacted with via a software API." } ] + }, + { + "predicate": "role", + "entry": [ + { + "value": "server", + "expanded": "Server", + "description": "The honeypot is passively awaiting requests from clients." + }, + { + "value": "client", + "expanded": "Client", + "description": "The honeypot is actively initiating requests to servers." + } + ] } ] } From 7a358b6d8fec8376959dbd35573e0812466adfa6 Mon Sep 17 00:00:00 2001 From: Michael Hamm Date: Wed, 3 Jan 2018 13:54:07 +0100 Subject: [PATCH 7/7] replace underscore with dash --- {honeypot_basic => honeypot-basic}/machinetag.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) rename {honeypot_basic => honeypot-basic}/machinetag.json (99%) diff --git a/honeypot_basic/machinetag.json b/honeypot-basic/machinetag.json similarity index 99% rename from honeypot_basic/machinetag.json rename to honeypot-basic/machinetag.json index 1a02d93..45a8369 100644 --- a/honeypot_basic/machinetag.json +++ b/honeypot-basic/machinetag.json @@ -1,5 +1,5 @@ { - "namespace": "honeypot_basic", + "namespace": "honeypot-basic", "description": "Christian Seifert, Ian Welch, Peter Komisarczuk, ‘Taxonomy of Honeypots’, Technical Report CS-TR-06/12, VICTORIA UNIVERSITY OF WELLINGTON, School of Mathematical and Computing Sciences, June 2006, http://www.mcs.vuw.ac.nz/comp/Publications/archive/CS-TR-06/CS-TR-06-12.pdf", "version": 1, "predicates": [