Changes between Version 1 and Version 2 of AboutCapture

Show
Ignore:
Timestamp:
01/16/08 16:17:21 (10 years ago)
Author:
cseifert
Comment:

--

Legend:

Unmodified
Added
Removed
Modified
  • AboutCapture

    v1 v2  
    22 
    33Capture is a high interaction client honeypot developed at Victoria University of Wellington by Ramon Steenson and Christian Seifert. Only a few high interaction client honeypot clients are available today. Capture differs from existing client honeypots in various ways. First, it is designed to be fast. State changes are being detected using an event based model allowing to react to state changes as they occur. Second, Capture is designed to be scalable. A central Capture server is able to control numerous clients across a network. Third, Capture is suppose to be a framework that allows to utilize different clients. The current version of Capture various HTTP aware clients, such as Firefox, Opera, Internet Explorer, Adobe Acrobat Reader, MS Office Applications, Open Office Applications and various media players. 
    4 ''' 
    5 Functionality''' 
     4 
     5'''Functionality''' 
    66 
    77In this section, we describe the existing functionality of Capture at a high level. Following, we provide a glimps into the future and describe our plans to extend Capture . 
     
    99The Capture clients actually perform the work. They accept the commands of the server to start and stop themselves and to visit a web server. As a Capture client interacts with a web server, it monitors its state for changes on the file system, registry, and processes that are running. Since some events occur during normal operation (e.g. writing files to the web browser cache), exclusion lists allow to ignore certain type of events. If changes are detected that are not part of the exclusion list, the client makes a malicious classification of the web server and sends this information to the Capture server. Since the state of the Capture client has been changed, the Capture client resets its state to a clean state before it retrieves new instructions from the Capture server. In case no state changes are detected, the Capture client retrieves new instructions from the Capture server without resetting its state. 
    1010Capture allows to automatically collect network dumps and downloaded files (ie malware) when a malicious server is encountered. 
    11 Technical Description 
    1211 
    13 The Capture server is a simple TCPIP server that manages several capture clients and the VMware servers that host the guest OS that run the Capture clients. The Capture server takes each URL it receives and distributes them to the available clients in a round robin fashion. The server listens for client that connect to the server upon startup on a specified TCP port. The Capture server is written in Java and controls the VMware servers using the VMware C API that it wraps using jni. The communication protocol between the Capture Server and Capture Client is XML based and described in this document: Capture Communication Protocol.pdf. 
     12'''Technical Description''' 
     13 
     14The Capture server is a simple TCPIP server that manages several capture clients and the VMware servers that host the guest OS that run the Capture clients. The Capture server takes each URL it receives and distributes them to the available clients in a round robin fashion. The server listens for client that connect to the server upon startup on a specified TCP port. The Capture server is written in Java and controls the VMware servers using the VMware C API that it wraps using jni. The communication protocol between the Capture Server and Capture Client is XML based and described in this document: ["Capture Communication Protocol.pdf"]. 
    1415 
    1516The Capture client in turn consists of two components, a set of kernel drivers and a user space process. The kernel drivers operate in kernel space and use event-based detection mechanisms for monitoring the system's state changes. The user space process, which accepts visitation requests from the Capture server, drives the client to interact with the server and communicates the state changes back to the server via a simple TCPIP connection. The user space process captures the state changes from the kernel drivers and filters the events based on the exclusion lists. Each component is written in unmanaged C code. 
    16 Kernel Drivers 
     17 
     18'''Kernel Drivers''' 
    1719 
    1820The Capture client uses kernel drivers to monitor the system by using the existing kernel callback mechanism of the kernel that notifies registered drivers when a certain event happens. These callbacks invoke functions inside of a kernel driver and pass the actual event information so that it can either be modified or, in Capture's case, monitored. The following callback functions are registered by Capture: 
     
    2729 
    2830As mentioned above, the user space application, once it has loaded the drivers, creates a buffer and passes it from user space to the kernel drivers. Passing of the buffer occurs via the Win32 API and the IO Manager. The kernel drivers copy the event data into the buffer, so the user level application can process the events. Each event is serialized and compared against the entries in the exclusion list. The exclusion lists are built using regular expressions, which means event exclusions can be grouped into one line. This functionality is provided by the Boost::regex library. For each monitor, an exclusion list is parsed and internally mapped between event types and allowed regular expressions are created. If a received event is included in the list, the event is dropped; otherwise, it is output to the final report that Capture BAT generates. 
    29 Future Plans 
     31 
     32'''Future Plans''' 
    3033 
    3134Our plans to extend Capture are as follows. Since we have a base set of functionality with a solid set of monitors and client support available, first and most pressing need is to improve the performance of Capture-HPC. Here, we are exploring to implement a binary search visitation scheme. Second, we would like to provide the ability to integrate Capture with other tools. Here, we are planning to implement a full fledged web service that allows to submit URLs to Capture and obtain classifications. It is expected to release this functionality in version 2.5 at the end of the year.