RE: Advice for setting up honeynet at home

[Steven Trewick <STrewick () joplings co uk>]

> > On Thu, 2004-05-06 at 09:59, Valdis.Kletnieks () vt edu wrote:
> > Simple.  Don't bother filtering. Just connect your honeynet 
> > to your cable
> > modem, and don't surf the net or download your e-mail.  
> > Anything that comes
> > across is probably a worm. :)
 
> ... or Windows popup spam :)
>
> But Valdis is right -- what I would suggest is if you're running a
> standard firewall setup that allows only outbound connection requests,
> then instead of blocking incoming connection requests at the outside,
> route them to your honeypot for logging/interaction.
>
> Cheers,
> Christian.


This is a setup that works extremely well for me, I have one pot sat
in the DMZ of a SOHO broadband router doing NAT, so it never sees any
of the 'regular' traffic caused by people surfing/emailing/etc.

All unsolicited traffic is routed to the honeypot machine, and there 
is a huge quantity of it, including a large amount of windows popup 
spam :-)

It yields a staggering amount of data for analysis, and is proving an 
extremely useful tool for researching current threats.

One point to note if you do use a setup like this, is to make sure that 
your INTERNAL hosts are safely firewalled from your honeypot box, so
that when it gets compromised, falls victim to worm, etc, the rest
of your boxen will be OK.  


HTH :-)











-



</code>
The information contained in this e-mail is confidential and may be privileged, it is intended for the addressee only. 
If you have received this e-mail in error please delete it from your system. The statements and opinions expressed in 
this message are those of the author and do not necessarily reflect those of the company. Whilst Joplings Group 
operates an e-mail anti-virus program it does not accept responsibility for any damage whatsoever that is caused by 
viruses being passed.
joplings.co.uk