Home > Dionaea, Honeypot, Malware, Nepenthes > Last Nepenthes Statistics

Last Nepenthes Statistics

2009/11/09

Following on from the move from Nepenthes to Dionaea, I’m decomissioning my Nepenthes server to start afresh with Dionaea. As such I thought I’d share the final statistics using InfoSanity’s statistic script for Nepenthes.

Statistics engine written by Andrew Waite – http://www.InfoSanity.co.uk

Number of submissions: 4189
Number of unique samples: 1189
Number of unique source IPs: 2024

First sample seen on 2008-05-09
Last sample seen on 2009-10-31
Days running: 540
Average daily submissions: 7

Andrew Waite

Advertisements
  1. Giat
    2012/09/25 at 06:36

    few issues here
    i put my nepnethes on router and settled many ip on it, i used subinterface and it’ve been running for a month and collected nothing
    so i moved it out and put directly to public ip without router and running for 3 months, it did collect malware but only few
    did i make mistake on the first scenario?? what is the diffenrence between those two??

    what is the difference between hexdump and binaries on /var/lib/nepenthes/
    just a little confused here
    it contains md5 on hexdump and binaries directory
    my hexdump directory have collected hundred malwares but the it only store few malware on directory malware
    Thankyou….

    sorry for bad english

    • 2012/09/25 at 07:25

      Hi,

      first issue, Nepenthes is effectively dead and has been for a while. I’d suggest taking a look at Nepenthes’ spiritual successor, Dionaea; more feature, more recent vulnerabilities emulated and still actively developed.

      Afraid I can’t really say what went wrong with your initial set-up without more information. I’d suggest after any honeypot build testing the connection from an external source to ensure that everything is working as expected.

      Regarding only receiving a few samples, volume of traffic will be dependant on your IP address as some ranges get hit more than others. Also ensure that your network provider doesn’t filter particular ports as this would also prevent attack traffic reaching your sensor.

      Hope this helps,
      Andrew

  1. 2009/11/09 at 18:31
Comments are closed.
%d bloggers like this: