RE: High interaction Windows Honeypot

["Stejerean, Cosmin" <cosmin () cti depaul edu>]

Is anyone working on a Sebek3 program for Windows?

Cosmin

-----Original Message-----
From: Thorsten Holz [mailto:thorsten.holz () mmweg rwth-aachen de] 
Sent: Monday, August 08, 2005 11:07 AM
To: honeypots () securityfocus com
Subject: Re: High interaction Windows Honeypot

Ahmed Ameen wrote:
> Hello All,
> I am currently planning for my CS thesis which I decided to do on
> Windows Honeypots. I was wondering if anyone has experience on
> building a high interaction honeypot using a windows environment and
> VMware.

Some experience from me and the German Honeynet Project:

* For the Honeywall, the easiest way to setup is the Honeywall CDROM Roo 
(http://www.honeynet.org/tools/cdrom/). This is Linux-based, but that 
should be no big problem. Just boot a computer with three interfaces 
(two also works, but for management a dedicated interface is best) and 
within 20 minutes your are done. Customization is very easy and the 
web-interface allows you to monitor what's going on. If you really need 
it, you can also install the Honeywall "by Hand", but that's rather 
time-consuming...

* Unfortunately, no Sebek version 3.x exists for Windows yet. It is in 
development, but not ready up to now. So you have to use Sebek version 
2.x (http://www.honeynet.org/tools/sebek/2/sebek-win32-2.1.5.zip). Just 
install Windows and you are basically done. If you don't apply some 
patches, a default installation of Windows will be compromised by a bot 
in an automated way within several minutes...

* If you want to setup a virtual honeynet, just follow the steps 
outlined in the paper "Virtual Honeynet: Deploying Honeywall using 
VMware" (http://www.honeynet.org.pk/honeywall/) written by the Pakistan 
Honeynet Project.

Cheers,
   Thorsten


-- 
No virus found in this incoming message.
Checked by AVG Anti-Virus.
Version: 7.0.338 / Virus Database: 267.10.2/65 - Release Date: 8/7/2005

Attachment: smime.p7s
Description: