Re: Capturing Windows RPC worms with honeyd or similar?

[Kostas K <acezerocool () yahoo com>]

In-Reply-To: <646933429.20030928120102 () iki fi>

If you like, you could avoid dealing with honeyd and simulations stuff.
Therefore you could build a windows machine either win2000 or winxp, unpatched of course, and use snort to capture the 
worm. Even if you do not use snort you will capture it, or if you like it will capture you. Snort will help you 
afterwards in the analysis process. However, this depends on the network you operate. If the rest of the machines are 
linux, irix etc then you won't face any particular problems. In case you've got winxp or win2000 patch them and secure 
them @ports tcp/135, udp/135, udp/69, tcp/4444 mostly and leave the victim unprotected.

Cheers

Kostas


> Hi all!
>
> I'd like to set up a honeypot to capture Windows RPC worms and other
> Windows-specific stuff. Is there any way to simulate a vulnerable
> Windows host using honeyd or some similar software? I mean actually
> simulating the buffer overflow. Or do I have to set up a real
> Windows box?
>
> Any ready-made configuration files for honeyd?
>
> Thanks!
>
> - Jyri