The National Plateforme for Tracking Cyber Attacks :

« SAHER »By Hafidh EL Faleh

Hafidh.faleh@gmail.com NACS - 2012

Perimeter of the project

The NACS is member of :

• Make a dashbord ( Alert Level) of National Cyberspace.

• Take a platforme support for incident handling, investigation and legal forensics.

• Devellopement of solutions for traking cyber attacks with DIDS, Honeypots and deploying many sensors.

• Monotoring criticals infrastrcture and detect anomalies into her systems.

SAHER Objectifs

• Supervise Web sites to detects defacements attacks.

• Maintain a system for malware detection (virus, botnets, torjans) , and use cordination to cleanup the National Cyberspace.

• Build an information database for types of attack, leaks of vulnerability and blackliste.

SAHER Objectifs

Couche WORKFLOW

Couche analyse et corrélation

Couche de collecte et de détection

SAHER est une plateforme à trois couches

5

CEWS Architecture

7

• SAHER-WEB: ce sont des routines qui ont pour bute de vérifier l’intégrité des sites Web.

• SAHER-SRV: ce sont des routines qui ont pour bute de vérifier la disponibilité des serveurs Web, MAIL et DNS

• Les IDS: des Snorts qui sont généralement installés dans les espaces d’hébergement WEB.

• Les honeynets: plusieurs solutions de déférentes types sont disponibles dans le monde du logiciels libres.

Détection

We need to exchange security events and collaboration to handle incidents:

Incidents: Phishing Web defacement Scan Intrusion Spam / Scam DoS / DDoS

Malware: Worm spread Botnet / C&C HoneyNet detection

Vulnerabilities Exploit Zero days Product vulnerability

Collecte

ISAC: Information Sharing and Analysis Center

A CSIRT is a team that responds to computer security incidents by providing all necessary services to solve the problem(s) or to support the resolution of them

Workflow interne

Autres CERT tunCERT

mail mail

TEL SMTP Server

USER USER USER

S1

S2

S3

CentralDB

Sensors

IDSDB

Workflow: Plateforme de coordination

TELIncident pentest

Watch Veille

SNORT

Tel, mail

ISP

Saher-Web: Detection

Saher-IDS: Statistiques

Saher-Honeynet: Architecture et Outils

2500 Public IP

Saher-HoneynetAnnually evolution of attacks

Saher-Honeynet Website: Online statisticswww.honeynet.tn

Saher-Honeynet Website: « Dashboard »www.honeynet.tn/dashboard

Ideas For Projects

IP Reputation Dadabase Designing and specifying a tool to interface with a lot of

honeypot tools (dionaea, glastopf, kippo ..) and provide an update database to cheeck a reputation of any IP address related with her historic logs.

Provide an web access (web services) to this tool , automatic getting Ip source and providing information related her reputation historic and sending necessary instructions for cleanning process.

Ideas For GSoc 2012

Black-List Generator Create an updated list for malicious domains and

hosts from malwares offred. Select Profile of equipments to generate ACL

(Firewall, IDS/IPS, Proxy ..) . Designing and specifying techniques for black-list

tool. Online sharing of black-list.

ISP 1

IDS

ISP 2

IDSISP 3

IDS

Extract List ofMalicious Domains

Update D-IDS Rules

Watch for logs

1

2

3 Save passive DNS Detection

THANKShttp://www.honeynet.tn

honeynet@ansi.tnHafidh.faleh@gmail.com

http://twitter.com/SaherHoneyNet

http://www.linkedin.com/groups/The-Honeynet-Project-Tunisia-chapter