Glossary

A binary is a piece of downloaded malware. The names of these files are md5'ed hashes of the files themselve. Also see Malware

An exploit is a vulnerability in a program or system. These exploits are used by virusses and hackers to try and gain access to systems. Nepenthes simulates several well known exploits.

A malicious attack is a TCP connection which has been classified as malicious by the honeypot. In this case we can say for certain that the connection (or attack) was malicious. Malicious traffic is for example traffic caused by virusses, hackers and bots.

Malware is the definition of malicious files or virusses.

A piece of malware that was offered after an exploit was used has been downloaded succesfully.

After an exploit is used a piece of malware is usually offered. This is usually a file to enable the virus (or hacker) to gain access to the system more easily.

Nepenthes is one of the honeypots we use. For more information check out the website.

The norman sandbox is a program that analyzes what a file does when it's run. Which registry changes are made, which connections are made, which files are created, etc.

The network ranges of an organisation can be set in the organisation admin page. These ranges are the IP ranges in CIDR notation separated by a ”;”. These network ranges are used in the check page and the mail reports for checking attacks sourced by the organisations own network ranges.

An organisation identifier is a string that identifies a sensor belonging to a certain organisation. Each organisation should at least have 1 identifier, but can have more. These identifiers come in 4 types:

• Whois Netname - This is the string that appears in the netname section when the sensor IP is queried at a whois server.
• Domain name - This is the domain name of the sensor. It can be retrieved by doing a reverse DNS lookup for the sensor IP.
• SURFnet SOAP - This is a SURFnet specific method.
• Random Identifier String - This is a random string that uniquely identifies an organisation. This string can be placed in a file on the sensor. See also RIS.

A Random Identifier String is a unique string that identifies an organisation. To make sure that a certain sensor will always be assigned to the correct organisation you can use this string. Copy and paste the string in a file called “identifier.ris” and put it on the USB stick in the /usbstick/scripts/ directory. This will make sure that the sensor is assigned to the correct organisation when the sensor is first started.

Note: This only works when the sensor hasn’t been started yet.

A possible malicious attack is a connection of which we don't know for certain if it was malicious. It could be anything from random network traffic, port scans to unknown virusses, 0-day exploits or hackers.

The sensor is a USB stick with a remastered Knoppix distribution on it. The sensor is used on a machine that can boot from USB. On boot the sensor will request certificates and will get a unique name (sensor##) from which point the sensor is visible via the webinterface. The sensor itself is only used to create a tunnel between the host machine and the tunnel server.

This is the action that will be taken when the sensor does it's next update. The action can be one of the following values:

• Reboot - Reboots the sensor machine.
• SSH on/off - Turns on/off the SSH daemon on the sensor.
• Stop - Runs the stopclient script on the sensor which will stop the sensor.
• Start - Runs the startclient script on the sensor which will start the sensor.
• Enable - Enables a disabled sensor.
• Disable - Disables a sensor. A disabled sensor cannot be started.

The local address is the IP address of the sensor itself. In most cases this is the same as the remote IP address. The exception to this rule are NAT'ed networks. In this case the local address is the NAT address and the remote IP is your network gateway address.

The remote address or remote IP is the IP address that's the end point of the tunnel on the sensor side. This is usually the IP address of the sensor itself or the IP address of your local network gateway.

This is the current status of the sensor.

• <hi green>Green</hi>: Online
• <hi>Yellow</hi>: Either starting up or unable to connect to the server
• <hi orange>Orange</hi>: Missed 1 or more updates
• <hi black>Black</hi>: Sensor disabled by admin
• <hi red>Red</hi>: Offline

This is the virtual interface that is created on the tunnel server which is in fact the end point of the tunnel. This device is created by OpenVPN and receives an IP address out of the range of the client network.

This is the IP address of the virtual interface on the server side. This is an IP address from the client network.

This is the MAC address of the tap device (server side). This MAC address gets stored in the database for compatibility with networks that use MAC address white-listing for DHCP.

There are 3 timestamps we keep track of:

• Start - The timestamp of the last time startclient was run on the sensor.
• Stop - The timestamp of the last time stopclient was run on the sensor.
• Update - The timestamp of the last time the sensor checked for updates.

The severity is a classifcation of the connection. A connection can be classified out of 4 different types:

• Possible malicious attack
• Malicious attack
• Malware offered
• Malware downloaded