18

A couple of us wanted to setup a honeypot/honeynet with the goal of learning; not planned to be in a production environment. What's a good recommendation for a high interaction or low interaction honeypot. Also we'd like to eventually report the findings into some kind of businessy style report so something that compiles the information would be good too.

I've looked into the following but if you like these please let me know why:

  • honeyd - great overall but a low interaction honeypot
  • mwcollect/nepenthes - most well supported but too low of interaction
  • cuckoo - sounds interesting but difficult setup and outdated documentation

EDIT: Which honeypots have given you the best results for malware analysis. Low interaction honeypots will not go much further than pretending to have a port open, but I'd like to track an attack, allow the payload infection, contain it from anywhere else, and generate a report based on that and then after the attack, start over again with a clean environment.

Does anyone do honeypots anymore? :)

David Stubley
  • 2,886
  • 1
  • 17
  • 28
Lizbeth
  • 757
  • 6
  • 14
  • 2
    almost duplicate? http://security.stackexchange.com/questions/3978/honeypot-on-home-network-to-help-me-learn – john May 28 '11 at 00:47
  • True. I'm looking for a little more advanced info. – Lizbeth May 28 '11 at 20:48
  • 1
    Not sure a honeypot that isn't in a production environment will teach you anything - you need attackers to connect to it in order to learn. Unless you are trying to do something different? – Rory Alsop May 31 '11 at 21:42
  • 2
    what sort of advanced info - add it in to your question, as folks may not read comments. – Rory Alsop May 31 '11 at 21:43

3 Answers3

6

I don't have the exact specs to hand, however we used to run a very successful wireless honeynet based on freely available sources which we would take to sensitive environments to see whether there were active attackers in the environment, and what they would do.

Core to our setup was a laptop running a honeynet based environment, with simulated traffic between multiple virtual hosts running in VMs to look like finance servers, databases, users etc. Without that emulation of real world traffic an experienced attacker will realise very quickly that they are within a honeynet.

On another laptop, connected by a uni-directional ethernet cable to prevent its visibility to the attacker , was our logging platform. Again, if an attacker spots a logger which is not appropriate for the supposed environment, they will be suspicious.

This honeynet was quite configurable, and although it did take a fair amount of work to set up initially (one of my team created most of it) he said it was pretty straightforward.

Rory Alsop
  • 61,367
  • 12
  • 115
  • 320
3

I'm suprised nobody has reccomended HoneyBOT

It's enough for me running it in my DMZ at home on a broken netbook I paid $20 for which needed a drive and screen. Now it's just a headless machine for less than $50 used as a research box. The low power is also cheap to run 24/7/365 and if

I always wondered with no network activity on my home network why are all of the lights of my router and cable modem always light up like a Christmas tree all the time, @#@$ port scans at 2AM and such.

Brad
  • 849
  • 4
  • 7
2

For lightweight honeypot, you can always look for

Dionaea honeypot : http://dionaea.carnivore.it [emulates vulnerable Windows services, mainly SMB, and recently supports VOIP]

Kippo honeypot : http://code.google.com/p/kippo/ [for SSH- Secure SHell emulations]

Both are enough for me. Installation is easier than the full blown in the box installation setup.

talfiq
  • 318
  • 1
  • 7