Building an Honeypot using VMWare

["Bruno MAC Castro" <bcastro () dei uc pt>]

Hi all,

I am building a Honeypot for my master thesis. I have also been reading
papers (or web contents) regarding Honeypot, remote log correlation and
intrusion detection tools.

Everybody knows that is not consensual the building process of a
Honeypot, even so I gather the maximum range of information regarding
all possible concepts of a Honeypot and developed my own way of doing
it. My option (after many reading hours) is to:
1. Install and close (firewall, Snort, Anti-virus, etc) an operating
system Windows 2k Professional (as host)
2. Install VMWare Workstation on the host
3. Install a Windows 2k Professional without any update or protection
device as a guest (and a possible Honeypot)
4. Install a Linux RedHat 8 as a Intrusion testing system (more hacking
tools for Linux s )

The main platform (intrusion and honeypot) is almost completely setup.
Now, I am reaching a stage in my research where I could use some nice
advices:
1. What Log tools can I use for log correlation between the Host
(monitor with Windows 2k Pro) and the Guest (honeypot with Windows 2k
Pro)?
2. I also need a way to share the guest (hacked) machine logs with the
host (monitor). Any ideas?
3. Is there any tool that can define the hacking process step-by-step by
correlating the IDS logs with the OS logs?
4. It would be important to hide the VMWare process on the Guest. I need
a tool (or a solution) to cover or hide the VMWare process in both
systems. Ideas?
5. My host system is very well secure but I believe that nothing is 100%
safe, so I also need ideas to copy or move all logs (guest and host) to
another system (not sure about what kind of system it should be). Any
ideas? Maybe serial port to another machine?

Thanks.
Regards
Bruno
______________________________________
Bruno Miguel Abrantes de Campos e Castro
Mail To:
bcastro () portugalmail pt
bcastro () dei uc pt
______________________________________