lee/hpr-knowledge-base
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
d68885cff84739d6e564ca4409959ae08cee67ec
hpr-knowledge-base/hpr_transcripts/hpr0075.txt
Lee Hanken 7c8efd2228 Initial commit: HPR Knowledge Base MCP Server 
- MCP server with stdio transport for local use
- Search episodes, transcripts, hosts, and series
- 4,511 episodes with metadata and transcripts
- Data loader with in-memory JSON storage

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
2025-10-26 10:54:13 +00:00

47 lines
6.4 KiB
Plaintext
Raw Blame History

Episode: 75
Title: HPR0075: Collapsar
Source: https://hub.hackerpublicradio.org/ccdn.php?filename=/eps/hpr0075/hpr0075.mp3
Transcribed: 2025-10-07 11:01:56
---
Let's go and see what I got for today.
Hello and welcome to Hacker Public Radio.
This is the MeroVinji coming to you today to discuss a little more virtualization.
In episode previous, I've discussed a few virtualization topics.
The most recent being it entails VT chipset.
Now the VT chipset being their virtualization technology chipset, which ultimately allows
for better utilization of the CPU to the VM, the virtual machine monitor.
Today we'll be taking a different look at virtualization with some research that came from Purdue University.
The title of the paper, particularly that I'm looking at, is Collapsar, a VM-based architecture for network attack detection center.
Now this is an article that I will be including a link for in the show notes.
So feel free to go and pick up a copy of this from site seer.
What they are looking at with this research in particular is creating a center, a system of computers,
in this case their VM-based computers, that sit off-site from your production network and will take bad packets and ultimately receive bad packets
that were to have been sent to your production network and instead trap them within their center for analysis and for understanding of the bad packets or of the nature of the bad packets.
Now this is done by three main functional components, which are the redirector, the front end, and the virtual honeypots.
Now the redirector's job is to, the redirector is a machine that sits on your production network and its job is to recognize bad packets as they enter your network.
Once the redirector becomes aware of the bad packet, it will then trap the packet and encapsulate it into a new packet which the redirector will send on to the front end of the Collapsar center.
Now once the front end receives this packet from the redirector, it will then look at the packet to understand what production network came from because it is possible that the Collapsar center is receiving traffic from multiple production networks.
So it will look at the packet to see what production network it came from, decapsulate the packet, and then will dispatch the packet to the intended virtual honeypots within the Collapsar center.
Now of course obviously I said the intended virtual honeypot. Now that bad packet was not intended for a honeypot, instead it was intended for a machine on your production network.
So what the Collapsar center will do with the, again the third functional component, the virtual honeypot is that the Collapsar center will generate a virtual honeypot that appears to be the original target machine.
Now there is of course a little bit of issue that can develop because it is possible that the virtual honeypot is a completely different operating system lying on it than the original or the intended target.
But the scalable nature of the Collapsar center would allow or could potentially allow for the virtualized honeypots to be any type of system, whether that be any, you know, some version of Linux, some versions of Windows and other operating systems.
So the potential is there that the Collapsar center could generate a honeypot that does mimic exactly the original target of the attack.
Now with the Collapsar center within itself, you know, there are other types of assurance modules, as they call them, which are basically like a logging module to keep logs of everything of all packets, you know, incoming all packets that attempt to go out outgoing because you could have the ability to block outgoing packets as well as maybe a targeting module,
an opening module, an correlation module, as well as, you know, other statistical modules and things like that.
In addition to the conceptual model for the Collapsar center presented in the paper, they actually have a case study involving three incidents, three separate incidents of compromises that occurred within the virtualized honeypot, virtualized honeypots within the Collapsar center.
The first virtualized honeypot was a Linux VMware honeypot that had a version of Apache server running on top of Red Hat 2.8, and ultimately the Apache service was compromised and researchers were able to examine that and understand how exactly that they did so.
The second attack was a Linux UML honeypot that involved a Samba server running on top of Red Hat 7.2 that became compromised.
The third virtualized honeypot in this case study was a Windows XP VMware honeypot, and this incident involved the RPC decom of vulnerability which ultimately led to this machine getting compromised with the MS blast worm and the Nazi worm.
Now these were three separate events that researchers were able to isolate and to look at and understand how each of these events occurred, but part of Collapsar includes the correlation module that allows each event to be correlated with the Collapsar logs and the network traffic
that was entering Collapsar from the different redirectors. So they were able to not only look at the computer itself and the inbound outbound connections for that computer, as well as all the files and everything that were compromised, but were able to even step away from the computer almost to the next hop, this case being the front end for the Collapsar center, and to look at all of the packets as they were coming in.
They were coming in to analyze them at that point and were able to ultimately were able to pull a lot of information from these three separate attacks.
Now all this research that is very interesting came out of Purdue, this article that I'm particularly looking at came out in 2004, so I'm sure that with any continued research that the Collapsar center at this point has only gotten better and stronger, and so I would definitely encourage people to, again, download this article, look at it.
If you're interested, maybe pursue any other research that Purdue University has released with regards to this.
Again, I would like to thank you for listening to Hacker Public Radio. If you have any questions for me particularly, you can usually find me in the Infanomicon IRC chat room, which can be found on the free note server, or you can email me directly at MiroVinji at gmail.com. Thanks again and have a wonderful day.
Thank you for listening to Hacker Public Radio. HPR is sponsored by caro.net, so head on over to caro.nc for all of us in need.
Thanks for listening to Hacker Public Radio.
Thank you very much.
Reference in New Issue View Git Blame Copy Permalink