Honeypots mailing list archives

RE: results of the first honeyd challenge (dynamic honeynet?)

From: "Compton, Rich" <RCompton () chartercom com>
Date: Mon, 31 Mar 2003 00:09:30 -0600

Reading all of the great entries from the honeyd challenge gave me an idea
for a dynamic honeynet.  The problem that I have implementing a honeypot is
that it takes up IPs.  I have to reconfigure the honeypot as soon as I need
one of those IPs that's assigned on the honeypot. Wouldn't it be nice to
have a honeynet that looks for IPs in a subnet that are not used (maybe by
trying to ping them) and then creates a honeynet for just those IPs.
The honeypot could then see when one of those IPs are being used and remove
it from its configuration.
I'm not sure how it would identify IPs being used when an IP gets statically
assigned (maybe thru arp?) but I've got an idea on how to identify when IPs
are in use in a enviroment with dhcp.  The honeypot could be running snort
and be looking for bootp messages from the dhcp server.  When snort sees a
dhcp offer for a particular IP it could log it and then something like
logwatch could fire off a script to reconfigure honeyd with a modified
config file removing that IP.
In this way, the honeynet could dynamically grow or contract based on the
supply of unused IPs.
Maybe this could also work with the labrea tarpit?

Any thoughts?

-Rich Compton

-----Original Message-----
From: Niels Provos
To: honeypots () securityfocus com
Sent: 3/22/2003 1:58 PM
Subject: results of the first honeyd challenge

On February 17th, we announced the first Honeyd challenge and asked
the community to improve Honeyd by creating useful feature additions.
One month later we received eight submissions which were evaluated by
the judges during the last week.  While eight submissions is a small
number compared to the challenges of the Honeynet Project, we were
still impressed by the novelty of the solutions and the amount of time
that the contestants put into the Honeyd Challenge.

The best submissions included a pattern detection engine for the
network traffic passing through Honeyd and a tool that builds random,
realistic Honeyd configuration files.  We also received submissions
for a graphical user interface, a port of Honeyd to Windows and many
more.

You can find the results of the challenge at

  http://www.citi.umich.edu/u/provos/honeyd/ch01-results/

Once again, I would like to thank everybody who participated in the
challenge.  As a result of this challenge, the community has received
several new service emulations, new configuration tools and many novel
ideas on how to use Honeyd.

Sincerely
  Niels Provos.

Current thread:

RE: results of the first honeyd challenge (dynamic honeynet?) Compton, Rich (Mar 31)
- RE: results of the first honeyd challenge (dynamic honeynet?) Jose Nazario (Mar 31)
- RE: results of the first honeyd challenge (dynamic honeynet?) Mario Sergio Jr. (Mar 31)
- Re: results of the first honeyd challenge (dynamic honeynet?) Wim Mees (Mar 31)