From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mailman by lists.gnu.org with tmda-scanned (Exim 4.43) id 1EpEBq-00070g-Hu for qemu-devel@nongnu.org; Wed, 21 Dec 2005 19:20:14 -0500 Received: from exim by lists.gnu.org with spam-scanned (Exim 4.43) id 1EpEBp-00070P-EO for qemu-devel@nongnu.org; Wed, 21 Dec 2005 19:20:13 -0500 Received: from [199.232.76.173] (helo=monty-python.gnu.org) by lists.gnu.org with esmtp (Exim 4.43) id 1EpEBp-00070J-2D for qemu-devel@nongnu.org; Wed, 21 Dec 2005 19:20:13 -0500 Received: from [64.233.182.207] (helo=nproxy.gmail.com) by monty-python.gnu.org with esmtp (Exim 4.34) id 1EpEAq-00032B-Li for qemu-devel@nongnu.org; Wed, 21 Dec 2005 19:19:12 -0500 Received: by nproxy.gmail.com with SMTP id c2so101305nfe for ; Wed, 21 Dec 2005 16:19:10 -0800 (PST) Message-ID: <92c265230512211619v30aecaa3g2e0d8d9dfc45aad4@mail.gmail.com> Date: Thu, 22 Dec 2005 08:19:10 +0800 From: Tace Subject: Re: [Qemu-devel] Argos: qemu-based honeypot In-Reply-To: <43A86DF6.4080005@cs.vu.nl> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline References: <43A86DF6.4080005@cs.vu.nl> Reply-To: qemu-devel@nongnu.org List-Id: qemu-devel.nongnu.org List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: qemu-devel@nongnu.org Hi Herbert, I haven try it yet, but it seems very interesting! Btw, would it be similar to the Minos (http://minos.cs.ucdavis.edu/) system, implemented using Bochs? On 12/21/05, Herbert Bos wrote: > All, > I am happy to announce the first release of Argos: a full system > emulator (based on Qemu) that detects attempts to compromise the system. > It is meant to be used in a honeypot and offers full-system protection, > i.e., it protects the kernel and all applications running on top. > > Argos is hosted at: http://www.few.vu.nl/~porto/argos > > Note: while there is a full installation guide and info on how to run > Argos, there is currently little additional documentation. We will add > this as soon as possible. People interested in details should contact us > for a technical report (the paper is currently under submission, so we > cannot stick it on the website yet). > > Cheers, > HJB > > Here is the blurb from the website. > > Argos is a /full/ and /secure/ system emulator designed for use in > Honeypots. It is based on QEMU , > an open source processor emulator that uses dynamic translation to > achieve a fairly good emulation speed. > > We have extended QEMU to enable it to detect remote attempts to > compromise the emulated guest operating system. Using dynamic taint > analysis Argos tracks network data throughout the processor's execution > and detects any attempts to use them in a malicious way. When an attack > is detected the memory footprint of the attack is logged and the > emulators exits. > > Argos is the first step to create a framework that will use /next > generation honeypots/ to automatically identify and produce remedies for > zero-day worms, and other similar attacks. /Next generation honeypots/ > should not require that the honeypot's IP address remains un-advertised. > On the contrary, it should attempt to publicise its services and even > actively generate traffic. In former honeypots this was often > impossible, because malevolent and benevolent traffic could not be > distinguished. Since Argos is explicitly signaling each possibly > successful exploit attempt, we are now able to differentiate malicious > attacks and innocuous traffic. > > ------- > > Dr. Herbert Bos > Vrije Universiteit Amsterdam > www.cs.vu.nl/~herbertb > > > > > _______________________________________________ > Qemu-devel mailing list > Qemu-devel@nongnu.org > http://lists.nongnu.org/mailman/listinfo/qemu-devel >