Honeypots mailing list archives

Re: Honey Pot Creation

From: David Watson <david () honeynet org uk>
Date: Thu, 17 Aug 2006 11:33:52 +0100

Dev,

Worth a read when getting started with honeypots are:

The Honeynet Project books
http://www.amazon.com/gp/product/0321166469/sr=8-1/qid=1155810395/ref=pd_bbs_1/104-2156992-8800761?ie=UTF8
http://www.amazon.com/gp/product/0321108957/sr=1-1/qid=1155810448/ref=pd_bbs_1/104-2156992-8800761?ie=UTF8&s=books

Roger Grimes's "Honeypots for Windows" book:
http://www.amazon.com/gp/product/1590593359/sr=1-2/qid=1155810484/ref=sr_1_2/104-2156992-8800761?ie=UTF8&s=books

And I`d take a look existing low and high interaction honeypot solutions:

http://www.securitywizardry.com/honeypots.htm

Most are pretty straight forward to test and experiment with in a lab.

Hopefully these links should be enough to get you started, good luck!

Thanks,

David

Dev Anand wrote:

Dear List members ,

Thank you all for your valuable suggestions.

I have started looking at honeyd and nepenthes howtos .

Thanks once again .

Regards
-Deva

On 8/14/06, Jamie Riden <jamesr () europe com> wrote:

On 14/08/06, Brad Rubin <bsrubin () stthomas edu> wrote:

Deva,

A honeypot can be any non-production system, so creating one can be
as simple as getting a system setup with Windows or Linux while
waiting for it to be attacked.  The honeywall sits in between the
honeypot and the network and helps with logging activities directed
to or coming from the honeypot if it is compromised.  It also helps
limit the outgoing damage and associated liability if something does
compromise the honeypot.  And, the honeywall is designed to do this
while trying to remain hidden from the outside.

You can also create a series of honeypot systems and network that run
virtually on a single system using some software called Honeyd.


nepenthes (nepenthes.mwcollect.org) is also an easy low-interaction
honeypot to start with. It emulates known Windows vulnerabilities and
catches quite a few different worms and bots.

A high-interaction honeypot is just some extra monitoring stuff (such
as the Roo honeywall) on top of a genuinely vulnerable system and
needs *constant* attention.

For a web-based honeypot, you could, e.g. install awstats, change the
version number to a vulnerable version (6.4 and below I think) and
then get it indexed on search engines. (see
http://ghh.sourceforge.net/ for other ways of doing web-based stuff).

The first reply concerns spam honeypots, which pretend to be open
relays, or open SOCKS proxies but actually throw away all the email
except the first test.

cheers,
 Jamie
-- 
Jamie Riden / jamesr () europe com / jamie.riden () computer org
NZ Honeynet project - http://www.nz-honeynet.org/



-- 
David Watson
UK Honeynet Project
www.ukhoneynet.org
david () honeynet org uk

Current thread:

Honey Pot Creation Dev Anand (Aug 13)
- Re: Honey Pot Creation Alice Bryson <abryson () bytefocus com> (Aug 13)
- Re: Honey Pot Creation Brad Rubin (Aug 13)
  - Re: Honey Pot Creation Jamie Riden (Aug 14)
    - Re: Honey Pot Creation Dev Anand (Aug 15)
    - Re: Honey Pot Creation David Watson (Aug 17)
  - Using Hflow separetly from HoneyWall (roo)? Göran Sandahl (Aug 14)
- Re: Honey Pot Creation Hugo Francisco González Robledo (Aug 14)