Honeynet project status thread

[lund99]

OK, So I finally got the thing going and decided it was best to create a thread dedicated to the status of my project and keep the other one going as a Q&A thread.

Right now I've just deployed a virtual honeynet using VMWARE Workstation consisting of one unpatched windows 2000 proffessional guest and one Honeywall guest.

As it is just launched, there's nothing to report yet but I will keep you posted about whatever I might find interesting, stay tuned

Also I'd appreciate all support & traffic to my blog, The Honeyproject


EDIT: Windows 2000 Pro unpatched was a hilarious little experiment which got infected by thousands of worms in a matter of minutes. That project was scrapped within hours and I moved on to a Windows 2003 x64 enterprise on and Honeywall, still under VMWare.

[opreat0r]

You may also want to look at nepenthes http://nepenthes.mwcollect.org/download bit over my head but..

[lund99]

yeah, I'll try too look into that, but i gotta take it one step at a time so it'll probably take a while

[opreat0r]

Let me know if you get into it there is a site that tracks the bins but you have to be a member and I never could get anywhere with it .. basicly if you could rev the code then you got the latest bleeding 0day malware and that's no good for skids

I also watch this a while back .. also search videos for malware and honeypots you get some crazy ideas

http://video.google.com/videoplay?do...57023578163321
http://video.google.com/videoplay?do...42832546263615

[lund99]

Let me know if you get into it there is a site that tracks the bins but you have to be a member and I never could get anywhere with it .. basicly if you could rev the code then you got the latest bleeding 0day malware and that's no good for skids

I also watch this a while back .. also search videos for malware and honeypots you get some crazy ideas

http://video.google.com/videoplay?do...57023578163321
http://video.google.com/videoplay?do...42832546263615

I think that it might be a bit out of my league for the moment But I will definitely look into it once I get a better understanding of the different topics involved with honeynets.

Thanks for the idea though, operat0r, and I will check out those vids in a little while..


I actually ditched my entire honeynet yesterday It turned out that monitoring an unpatched W2K machine was no fun as it got compromised by worms etc in about three minutes.

I actually tried to do a fresh w2k install and just go straight to windows update to get it patched & protected and it still got compromised before the first patch had begun downloading

Therefore I'm moving on to a little more complex set-up.

To give you the basics of my new honeynet, it will look somethin like this (keep in mind these are all VMWare machines):

First of all I got the honeywall to monitor and log, and if necessary - control the amount of data which is able to leave the honeypot.

The honeypot I'm about to implement now is a W2003 x64 enterprise, fully patched and updated.

Also, I'm considering putting one last box into the mix - this time I want a Linux box of some sort and I want it to be vulnerable to exploits etc but I don't want it to be open for worm traffic etc (which I suspect won't be as big of an issue with Linux as it was with w2k anyway).. But since I'm not sure what distro and which version to use here, I was hoping you guys had some suggestions for me?


Anyway, be sure to follow my blog The HoneyProject as this is where I will post most of the info regarding my honeynet, the data captured, screens etc..

I will naturally keep this thread moving as well, but it is easier to publish it all in one location so that is why I decided to start a blog in the first place.

[streaker69]

Hey, I just happened across this: http://www.snort.org/dl/contrib/patc...it_and_switch/

thought you might be interested in it.