Yesterday I had the pleasure of attending the Digital Security & Governance for SMEs at Northumbria University. The purpose of the event was to help SMEs better understand that threats targeting their information systems, their responsibilities in securing personally identifiable information (PII) and to introduce NUWARP
I’ve just completed a new Nepenthes installation, and found the process far simpler than my first attempt as I didn’t compile from source.
After an initial setup and configuration of HoneyD I took a snapshot of the honeyd.log file after running for a 24hr period. Running honeydsum against the log file generated some good overview information. There were over 12000 connections made to the emulated network, averaging one connection every 7 seconds. Despite the volume of connections, each source generally only initiated a handful of connections.
Honeydsum is a script created by Lucio Henrique Franco and Carlos Henrique Peixoto Caetano Chaves for the Brazilian Honeynet project. As described by it’s Authors, it is a tool written in Perl designed to generate a text summary from Honeyd logs.
After getting a working HoneyD environment I wanted to better dig into the information provided by the system. First up was a quick script to get a feel for where the attacks/connections originate from. At first glance I really like the log format that is used by honeyd.log, it is nice an easy to parse. From this I quickly knocked up a python script to parse the honeyd.log file, collect a list of unique source addresses and finally use GeoIP to determine (and count) the county of origin.
After first getting HoneyD up and running previously for a proof of concept I’ve begun a wider implementation of HoneyD to function as the backbone for an upgraded research environment.
HoneyD’s key strength is it’s flexibility, HoneyD’s website contains some sample configuration files that show HoneyD emulating multiple systems running different OSes and applications, a large multi-site network and even a config file to create a honeypot environment for a wireless network. I’ve found these samples immensely useful references for developing custom templates for my own implementation.
Firstly, apologises for the break in regular postings, I was caught by surprise when I realised that it had been over a month since the last InfoSanity post.