You may also want to look at nepenthes http://nepenthes.mwcollect.org/download bit over my head but..
OK, So I finally got the thing going and decided it was best to create a thread dedicated to the status of my project and keep the other one going as a Q&A thread.
Right now I've just deployed a virtual honeynet using VMWARE Workstation consisting of one unpatched windows 2000 proffessional guest and one Honeywall guest.
As it is just launched, there's nothing to report yet but I will keep you posted about whatever I might find interesting, stay tuned
Also I'd appreciate all support & traffic to my blog, The Honeyproject
EDIT: Windows 2000 Pro unpatched was a hilarious little experiment which got infected by thousands of worms in a matter of minutes. That project was scrapped within hours and I moved on to a Windows 2003 x64 enterprise on and Honeywall, still under VMWare.
yeah, I'll try too look into that, but i gotta take it one step at a time so it'll probably take a while
Let me know if you get into it there is a site that tracks the bins but you have to be a member and I never could get anywhere with it .. basicly if you could rev the code then you got the latest bleeding 0day malware and that's no good for skids
I also watch this a while back .. also search videos for malware and honeypots you get some crazy ideas
Thanks for the idea though, operat0r, and I will check out those vids in a little while..
I actually ditched my entire honeynet yesterday It turned out that monitoring an unpatched W2K machine was no fun as it got compromised by worms etc in about three minutes.
I actually tried to do a fresh w2k install and just go straight to windows update to get it patched & protected and it still got compromised before the first patch had begun downloading
Therefore I'm moving on to a little more complex set-up.
To give you the basics of my new honeynet, it will look somethin like this (keep in mind these are all VMWare machines):
First of all I got the honeywall to monitor and log, and if necessary - control the amount of data which is able to leave the honeypot.
The honeypot I'm about to implement now is a W2003 x64 enterprise, fully patched and updated.
Also, I'm considering putting one last box into the mix - this time I want a Linux box of some sort and I want it to be vulnerable to exploits etc but I don't want it to be open for worm traffic etc (which I suspect won't be as big of an issue with Linux as it was with w2k anyway).. But since I'm not sure what distro and which version to use here, I was hoping you guys had some suggestions for me?
Anyway, be sure to follow my blog The HoneyProject as this is where I will post most of the info regarding my honeynet, the data captured, screens etc..
I will naturally keep this thread moving as well, but it is easier to publish it all in one location so that is why I decided to start a blog in the first place.
Hey, I just happened across this: http://www.snort.org/dl/contrib/patc...it_and_switch/
thought you might be interested in it.
A third party security audit is the IT equivalent of a colonoscopy. It's long, intrusive, very uncomfortable, and when it's done, you'll have seen things you really didn't want to see, and you'll never forget that you've had one.
wow, cool concept! thanks a lot for the heads-up streaker
if that project turns out to work it could definitely be a huge success!
thanks a lot to everyone tipping me about things like these and everyone who has helped me out with my project so far - without remote-exploit.org I wouldn't even know where to begin
Something that should be of interest to you is the talk Alex Muentz gave at The Last Hope, explaining some pertinent legal information for honeypot/net operators.
Do an internet search for "Botnet Research, Mitigation and the Law" for the video recording... you might in for a surprise
dd if=/dev/swc666 of=/dev/wyze
Thanks for all the feedback I will definitely check out all of your tips once I get the time
Right now I'm kinda swamped (is that a term??) with getting myself used to working with Honeywall, understanding snort data and managing my honeypot
Below is an excerpt from a a post I just made on my blog - the screen shot I'm referring to in the post below can be found on my site
OK, just to give you an impression of what a snort incident looks like when you review it from the Honeywall Walleye GUI.
What you see here is nothing special, just an automated SQL Worm attempt, logged by snort, which is implemented in Honeywall.
There are several sub features from this menu, you can download the flow in .pcap format to analyze in Wireshark or get more details from the snort data.
So far this is the only traffic I have seen as well, and it will probably remain like this for a little while.
I will keep updating regularly as I learn more about the usage of Honeywall, Snort and Walleye - Hopefully I will, in the end, be able to release a complete guide showing how to setting up a virtual honeynet and analyzing data.
But that little project will probably take its time as I want to learn as much as possible on my own before I start writing any guides