Domain: honeyd.org
Stories and comments across the archive that link to honeyd.org.
Comments · 5
-
Honeyd and non-standard port
Switch your real FTP server to a random, non-standard port.
Set up Honeyd on port 21: http://www.honeyd.org/
-
Re:nothing new
As a side note, here is his research into worms with honeyd : http://www.honeyd.org/worms.php published in 2004
-
Darknet, invite naughty traffic on your net today!
I completely agree, after spending countless hours sifting through log files, tweaking triggers to help reduce the amount of false positives, the IDS is not the complete answer.
An IDS is only so efficient, you need to first really understand your network before deploying, and even after deployment, this is only the beginning.
We have been using Darknets, or honeypots for sometime, an excellent combination of tools, see Snort, ACID (Analysis Console for Intrusion Databases
As said before and in the article, this is a sophisticated set of tools and you need to understand your network, or you will find yourself chasing ghosts, Enter the Darknet (Honeypot).
Combined with the other tools, we have been using Honeyd , an excellent honeypot, simple to get up an going and very configurable.
Snort.org has an excellent howto documentation to get the IDS up an going, then you can add the honeypot.
It can be downright humorous how quickly you will begin to capture useful information. In addition, adding scripts to interact with the traffic will allow you to keep the user busy while you are collecting data, or Tarpitting the traffic making the port "sticky" dragging the connections, another good one would be LeBrea.
If you have any interest in network security, or simply want to monitor your home network, you need to take a look at darknet, or any of the other tools mentioned. -
Re:Other platforms
Better tell the people at honeyd. They seem to think you can emulate the TCP/IP stack of other OS's, and use scripts to fool the app or person on the other end to run an entire honeynet of composed of several different "OS's" on one system.On top of that, you do not need a vulnerable system, nor allow your box to become compromised in order to attract a worm that will attempt to propagate. If you wanna see how it tries to locally, you analyze the actual code, if you want to see how it affects the network, or detect that something odd is occurring, thats what the honeypot is for.
-
Re:The best defense...Well, open source comes to your rescure as always. Laurent Oudot has recently shown how to use honeypots against the blaster worm. The folks behind Honeyd just put a page in place that demonstrates how virtual honeypots can defeat worms. It suggests to setup up thousands of virtual honeypots to detect the worms and then immunize the infected machine against the worm.
Seems like a pretty cool concept. Definitly sort of offensive.