Re: Honeypot

[Michael Lubinski <michael.lubinski () gmail com>]

What methods were you using to analyze the proxy logs for out of the norm
behavior?

On Wed, Jun 22, 2011 at 6:11 AM, Ben Jackson <bbj () mayhemiclabs com> wrote:

> On Tue, Jun 21, 2011 at 4:41 PM, Michael Lubinski
> <michael.lubinski () gmail com> wrote:
> > Who runs honeypots? My research suggests that Dionaea seems to be the
> one.
> > My goal is malware classification and collection.
>
> If you want malware, running a honeypot isn't going to get you much in
> the way of "new" samples. 99% of the malware coming into any
> environment is going to be delivered by drive-by-downloads. Running a
> "regular" honeypot is going to get you stuff that is already fairly
> well known (Conficker, SQL Slammer, etc). You'd be better off finding
> a HoneyMonkey (I don't know if there is a free one out there) or
> analyzing proxy logs for executable downloads. I netted a boat load of
> stuff in my previous job following option B. It's always cool to get a
> piece of malware that was created the same day you're analyzing it.
>
> Another option, which I have not done, is analyzing your mail queue.
>
> --
> Ben Jackson - Mayhemic Labs
> bbj () mayhemiclabs com - http://www.mayhemiclabs.com - +1-508-296-0267
> "Assume that what is in the power of one man to do, is in the power of
> another"
> _______________________________________________
> Pauldotcom mailing list
> Pauldotcom () mail pauldotcom com
> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
> Main Web Site: http://pauldotcom.com
_______________________________________________
Pauldotcom mailing list
Pauldotcom () mail pauldotcom com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com