Honeypots mailing list archives
Re: botnet logs
From: Valdis.Kletnieks () vt edu
Date: Sun, 16 Nov 2008 22:51:52 -0500
On Sat, 15 Nov 2008 13:20:21 +0100, Nathan said:
I have to make a brief presentation about honeypots and botnets relation. I chose honeyd as an example honeypot, i am already running it, but due to limited ip resources and short time, I wasn't able to gather any valueable information. I would be pleased, if anyone could send me a honeyd log of a botnet attack (ddos or infecting).
I think you're just a tad confused. For the honeyd log to show anything on the attack side, one of two things has to be true: 1) The honeyd is being attacked by a botnet. This is a challenge because you have to draw the botnet's attention to the honeypot and make them attack it - usually the botnet is busy doing other stuff. 2) The honeyd is running on a host that's part of a botnet. For this to happen, first it has to be botted into the net - and then the owners of the honeyd have to allow it to participate in the attack, which is somewhat morally ambiguous (unless you let it attack but then firewall off the attack packets along the way). You're unlikely to find many honeyd logs of a botnet trying to infect a host, because enough hosts are running Windows XP SP2 or other operating systems that have a sane firewall by default, so we probably won't see many more CodeRed/Nimda type worms anymore. Your best bet is to run honeyd on a host, and then visit a webpage that has a malware injector on it and capture that. You probably want to run a tcpdump or other packet-capture program as well to catch the raw network traffic. Fortunately, Google is nice enough to mark links that might be malware, you should try visiting those with a sacrificial-goat machine and let honeyd and tcpdump record what happens...
Attachment:
_bin
Description:
Current thread:
- botnet logs Nathan (Nov 15)
- Re: botnet logs Valdis . Kletnieks (Nov 16)
- Re: botnet logs Nathan (Nov 17)
- Message not available
- Re: botnet logs Valdis . Kletnieks (Nov 17)
- Re: botnet logs Valdis . Kletnieks (Nov 16)
- Re: botnet logs Gabriele Zanoni (Nov 17)