 syslog
Last August, I described the Honeynet Project and its goals of
raising awareness of Internet threats and vulnerabilities. In that
column, I mentioned Lance Spitzner's book "Honeypots: Tracking Hackers",
which was released in September of 2002. On his Web site (http://www.spitzner.net),
Spitzner defines a honeypot as "a security resource whose value
lies in being probed, attacked or compromised". He says, "A honeypot
may be a system that merely emulates other systems or applications,
creates a jailed environment, or may be a standard built system.
Regardless of how you build and use the honeypot, its value lies
in the fact that it is attacked."
The following information was taken from Spitzner's "Tracking
Hackers" Web site: http://www.tracking-hackers.com. There
he provides this list of open source honeypots:
- BackOfficer Friendly (BOF) http://www.nfr.com/products/bof/
-- BOF is a free Windows-based honeypot designed to be used as
a burglar alarm. Written by Marcus Ranum and the NFR folks in
1998, BOF is extremely easy to use and runs on any Windows platform.
However, it is very limited and can listen on only 7 ports. If
you have never installed a honeypot before, this is a great place
to start.
- BigEye http://violating.us/projects/bigeye/ -- An open
source network dumping utility that has some basic service emulation
capabilities.
- Deception Toolkit http://www.all.net/index.html -- DTK
was the first open source honeypot, released in 1997. Written
by Fred Cohen, DTK is a collection of Perl scripts and C source
code that emulates a variety of listening services. Its primary
purpose is to deceive human attackers. This tool is dated, but
one of the first honeypots ever released.
- LaBrea Tarpit http://www.hackbusters.net/LaBrea.html
-- This open source honeypot is unique in that it is designed
to slow down or stop attacks. It can run on Windows or Unix.
- Honeyd http://www.citi.umich.edu/u/provos/honeyd/ --
This is a new open source honeypot, released by Niels Provos in
2002. Honeyd, written in C and designed for Unix platforms, introduces
a variety of new concepts, including the ability to monitor millions
of unused IPs, perform IP stack spoofing, and simulate hundreds
of operating systems, at the same time. It also monitors all UDP
and TCP based ports. You can try out Honeyd with the Linux Honeyd
Toolkit. A toolkit containing all the configuration files, precompiled
static binaries, and startup scripts to get Honeyd instantly up
and running on your Linux computer.
- Honeynets http://www.honeynet.org/papers/honeynet/ --
These are entire networks of systems designed to be compromised.
Honeynets are the most complex honeypot solutions and have the
greatest risk. However, they can also capture the most information
of any honeypot.
- Sendmail SPAM Trap http://www.tracking-hackers.com/solutions/sendmail.html
-- This honeypot identifies Spammers and captures their SPAM,
without relaying it to any victims. Best of all, it's very easy
to set up.
- Tiny Honeypot http://www.alpinista.org/thp/ -- Written
by George Bakos, Tiny Honeypot is unique in that it always appears
vulnerable. No matter what attack a hacker launches, it will appear
successful. Great tool for collecting all sorts of information
on the bad guys.
- User Mode Linux http://user-mode-linux.sourceforge.net/
UML -- An Open Source solution that allows you to run multiple
operating systems (and honeypots) at the same time. Its creator
Jeff Dike has added unique honeypot functionality, such as the
ability to capture the attacker's keystrokes from kernel space.
UML allows you to create an entire Honeynet on a single computer.
UML is currently limited to the Linux operating system.
Good luck tracking your intruders.
Sincerely yours,
Amber Ankerholz
Editor in Chief
|
