I have been planning on deploying my own honeypot\net for several months. Its been a battle of having the resources for equipment, time for installation and analysis, and simply determining which software to go with. As you may know there are 2 main types of honeypots, low interaction, and high interaction, . A low interaction honeypot is generally, a piece of software running on a machine to emulate an exploitable service or software, to attract unwanted guests in your network, and log them accordingly. A high interaction honeypot is much the same, with the exception that it is generally an actual OS open to attack, with live vulnerabilities that are exploitable. The main differences are that the low interaction solutions are generally only able to accept and catalog known exploitations, and apply a best effort to capture unknown samples. A high interaction honeypot on the other hand, is theoretically able to capture any and all exploits as it is a live OS and would react exactly as the vulnerability would expect. There are many more subtleties and differences that are out of the scope of this post.
Back to the topic at hand, so in addition to the different types of honeypots, there also are different implementations of each, and as expected, some are far more efficient for an analyst, are more recently updated, have larger databases of vulnerabilities, or may be the only one that offers the exploitable service that your looking for. One of the main driving factors in honeypot development and advancement is the Honeynetproject.org. They seem to be a great and very helpful bunch of people from all over the world, intent on making the internet a safer place, by attempting to capture and analyze the nastiness in the world of computers. Two other major sites that seem to be very influential and helpful were carnivore.it and mwcollect.org The main projects that interest us for the sake of the article and following postings are:
Nepenthes
Nepenthes PHARM Client\Server Backend
Dionaea
Project Glastopf
MWCollectd
For the sake of simplicity and completeness, I should mention that UnrealIRCd and Anope, mysql, Apache 2, and plenty of hard drive space were pre-installed on a separate Ubuntu Karmic 9.10 JEOS machine for use as a secured and separate backend for monitoring and storing results from our sensors activities. At this point, Nepenthes is up and running, along with the sql entries for the Pharm backend. I had some issues with the cgi scripts for PHARM as I installed and put everything in place as root, you must "chmod -R 0755 pharm/" and "chmod -R a+x pharm/cgi-bin/", now the only issue is the error on line 18 of the pharm_dologin.cgi, that I can't manage to pinpoint. In the meantime Glastopf is up next and already beginning setup!
As some may know or have thought to themselves, this is all well and good but certainly some of these applications have spillover or monitor the same ports, and you would most certainly be correct. However with all of the following applications. module based implementation and almost absolute configuration is key. They realize and have already thought that you may not want to use a certain portion of their specific application. The idea that I will be going for, is to give each of the softwares their fair shot with overlaying ports for a short period of time, otherwise for the most part will follow the order below with decending priority when deciding overlapping ports;
Glastoph - Handles HTTP and port 80, 443, and first priority for needed ports
Dionaea - Focuses mainly on SMB and port 445, it may have others that I am not aware of, or develop in the future.
MWCollectd - A newer and better implementation of Nepenthes and Honeytrap.
Nepenthes and PHARM backend - Implemetation of further use of PHARM and Nepenthes without mwcollectd are doubtful as mwcollectd is signifigantly updated and revised code.
If you have created, develop, or otherwise work with any of the aforementioned projects or software, and would like to comment on my theory of merging projects, feel that I am misusing your code, or have any thoughts and suggestions, I certainly welcome it! Also if you know of other software, forums, projects, or otherwise that I should be informed of, please by all means share.
Note: Complete port scans with nmap and iptables turned off on the honeypot, will be uploaded per software as it is installed and working, along with different configurations with all or some programs running.
Thanks for reading,
Commie
