|
Honeystick
|
|
Debian/USB |
UK
Honeynet |
http://www.ukhoneynet.org/honeystick.htm |
|
A
HoneyStick is a portable honeynet demonstration and incident response
tool - an complete OS platform, GenIII honeywall and one or more
honeypots on a single bootable USB stick. |
|
Some licenses required
|
Information Updated: 07 Nov 2005
|
|
mwcollect |
|
|
credits
Paul Baecher, Thorsten Holz, Markus Kötter, Georg Wicherski |
http://www.mwcollect.org/ |
mwcollect is an easy solution to collect
worms and other autonomous spreading malware in a non-native
environment like Linux. The first versions were used to
collect binaries for botnet monitoring and bots are still
what we mostly see. Some people consider it a next
generation honeypot, however that comparison often leads to
the misunderstanding that computers running mwcollect can
actually be infected with the malware -- that is not
the case!
|
|
GPL
|
Information Updated: 07 Nov 2005
|
|
BackOfficer Friendly
|
|
Win32
Unix (reduced function)
|
NFR Security |
http://www.nfr.com/resource/backOfficer.php |
|
Known as a
"honey pot" for its ability to attract and trap hackers, Back Officer
Friendly (BOF) is a popular free download available exclusively from NFR
Security, Inc. Back Officer Friendly was originally created to
detect when anyone attempts a Back Orifice scan against your computer. It
has since evolved to detect attempted connections to other services, such
Telnet, FTP, SMTP, POP3 and IMAP2. When BOF receives a connection to one
of these services, it will fake replies to the hopeful hacker, wasting the
attacker's time, and giving you time to stop them from other mischief.
|
|
COMMERCIAL - But Free
|
Information Updated: 15 Jan 2004
|
|
Bait n
Switch |
|
|
|
http://baitnswitch.sourceforge.net/ |
|
The Bait and Switch Honeypot is a
multifaceted attempt to take honeypots out of the shadows of the network
security model and to make them an active participant in system defense.
To do this, we are creating a system that reacts to hostile intrusion
attempts by redirecting all hostile traffic to a honeypot that is
partially mirroring your production system. Once switched, the would-be
hacker is unknowingly attacking your honeypot instead of the real data and
your clients and/or users still safely accessing the real system. Life
goes on, your data is safe, and you are learning about the bad guy as an
added benefit. The system is based on snort, linux's iproute2, netfilter,
and custom code for now. We plan on adding additional support in the
future if possible.
|
|
FREEWARE
|
Information Updated:17 May 2003
|
|
Bubblegum |
|
|
|
http://world.std.com/~pacman/proxypot.html |
|
An
open proxy is a server that forwards Internet connections from
anywhere to anywhere, no questions asked. If you want to do something bad,
and don't want to get caught, all you have to do is find an open proxy and
tell it to do it. Nobody will know who did it, except the open proxy, and
even there the records are usually short-lived or nonexistent.
An open proxy honeypot (proxypot) is a server that
pretends to be an open proxy, taking requests from bad people to do bad
things, and responding with a simulation instead of doing the evil deed.
The goal is to fool the bad people into thinking they've done their bad
thing and got away with it, while actually they didn't do it, and they got
caught anyway! |
|
FREEWARE
|
Information Updated:15 Jan 2004
|
|
 |
|
Deception Toolkit |
|
|
|
http://www.all.net/dtk/dtk.html |
|
DTK, the
deception is intended to make it appear to attackers as if the system
running DTK has a large number of widely known vulnerabilities. DTK's
deception is programmable, but it is typically limited to producing output
in response to attacker input in such a way as to simulate the behavior of
a system which is vulnerable to the attackers method.
DTK simply listens for inputs and provides responses that seem normal
(i.e., full of bugs). In the process, it logs what is being done, provides
sensible (if not quite perfect) answers, and lulls the attacker into a
false sense of (your) insecurity |
|
FREEWARE
|
Information Updated:18 Aug 2002
|
|
Decoy Server
Formerly known as
ManTrap from Recourse
|
|
Windows® 95/98/NT®/2000
Solaris 2.5.1 (Intel only) Solaris 2.6 or Solaris 7 on Intel or SPARC
|
Symantec Corporation.
|
http://enterprisesecurity.symantec.com
/products/products.cfm?ProductID=157
|
|
By
creating a realistic mock network environment, the solution serves as an
attack target in order to protect critical areas of the network. As a
supplement to security solutions such as firewalls, it employs advanced
decoy technology to enable early warning and detection to divert and
confine attacks.
Symantec Decoy Server sensors deliver holistic detection and response and
provide detailed information through its system of data collection
modules. Every action is recorded for analysis, allowing administrators to
understand the threat and implement an appropriate, policy-based response.
Advanced filters enable the solution to automatically discard
insignificant events, leaving only the data required to respond
effectively to any incident. |
|
COMMERCIAL
|
Information Updated:14 Jan 2004
|
|
HOACD |
|
|
Honeynet.BR Project |
http://www.honeynet.org.br/tools/ |
|
HOACD means
Honeyd+OpenBSD+Arpd in a CD. It is the implementation of a
low-interaction honeypot that runs directly from a CD and stores its logs
and configuration files on a hard disk. The CD is bootable and uses the
OpenBSD operating system, the low-interaction honeypot daemon honeyd and
the user-space arp daemon. |
|
FREE
|
Information Updated:27 Jun 2004
|
|
Honeynet
Security Console |
|
|
Activeworx
Inc, |
http://www.activeworx.org/programs/hsc/index.htm |
|
Honeynet
Security Console is an analysis tool to view events on your personal
honeynet. It gives you the power to view events from Snort, TCPDump,
Firewall, Syslog and Sebek logs. It also allows you to correlate events
from each of these data types to have a full grasp of the attackers'
actions. |
|
FREE
|
Information Updated:27 Jun 2004
|
|
|
|
HoneyD |
|
|
Niels Provos |
http://niels.xtdnet.nl/honeyd/ |
|
Honeyd is a
small daemon that creates virtual hosts on a network. The hosts can be
configured to run arbitrary services, and their personality can be adapted
so that they appear to be running certain operating systems. Honeyd
enables a single host to claim multiple addresses - I have tested up to
65536 - on a LAN for network simulation. Honeyd improves cyber security by
providing mechanisms for threat detection and assessment. It also deters
adversaries by hiding real systems in the middle of virtual systems.
|
|
FREE
|
Information Updated:14 Jan 2004
|
|
HoneyComb |
|
Linux |
Christian
Kreibich |
http://www.cl.cam.ac.uk/~cpk25/honeycomb/ |
|
Honeycomb is good at spotting worms. For example, Honeycomb
creates detailed signatures for Slammer and Code Red (far more detailed
than the typical web server request line) on a typical end-user DSL
connection. But the system has lots of other potential uses -- it can be
applied to any kind of traffic to actively search for signatures when
those are currently not available. Examples are all those "Does anyone
have a signature for program X"-type of questions on IDS mailing lists --
just run this traffic through Honeycomb and see what you get.
Spam detection is another potential application that comes to mind.
The system
is an extension of the open-source honeypot honeyd and inspects traffic
inside the honeypot; currently it examines protocol headers as well as
payload data. Integrating Honeycomb with honeyd has several
advantages over a bump-in-the-wire approach: |
|
GPL
|
Information Updated:19 Jul 2004
|
|
|
|
HoneyWall |
|
|
Rob McMillen |
http://www.honeynet.org/tools/cdrom/ |
|
The Honeywall CDROM combines all the
tools and requirements of a GenII honeynet gateway on a (hopefully) easy
to use, secure, bootable CDROM. The intent is to make honeynets easier to
deploy and customize. You simply boot off the CDROM, configure it based on
your environment, and you should have a Honeywall gateway ready to go. The
CDROM supports several configuration methods, including an interactive
menu and .iso customization scripts. The CDROM is an appliance, based on a
minimized and secured Linux OS. |
|
FREE
|
Information Updated:27 Jun 2004
|
|
Jackpot |
|
|
Jack Cleaver |
http://jackpot.uk.net/ |
|
Jackpot is a ready-to-run SMTP relay honeypot,
written in pure Java.
By running a relay honeypot on your computer, you can make a contribution
to the battle against spam email. Jackpot enables you to submit
accurately-aimed complaints, with detailed documentation accessible via a
built-in web-server. Jackpot is very entertaining to run -
you can watch spam getting logged and then blackholed in real-time. You
can examine the envelope (HELO) commands used to submit the spam to
Jackpot, which is not possible using a simple spamtrap address. The
details of spam-runs are saved in comma-delimited files, which you can
analyse using simple tools. |
|
FREE
|
Information Updated:30 Jun 2004
|
|
KFSensor |
|
W32 |
KeyFocus Ltd |
http://www.keyfocus.net/kfsensor/index.php |
|
It acts as a honey pot to attract and
detect hackers by simulating vulnerable system services and trojans. The
system is highly configurable and features detailed logging, analysis of
attack and security alerts. This approach complements other forms of
security and adds another defense against the growing security threat
faced by all organizations. |
|
Commercial
|
Information Updated:25 Apr 2003
|
|
LaBrea Tarpit |
|
Linux /
W32 |
|
http://labrea.sourceforge.net/labrea-info.html |
|
LaBrea is a program that
creates a tarpit or, as some have called it a "sticky honeypot". LaBrea
takes over unused IP addresses on a network and creates "virtual machines"
that answer to connection attempts. LaBrea answers those connection
attempts in a way that causes the machine at the other end to get "stuck",
sometimes for a very long time. |
|
FREEWARE
|
Information Updated:20 Dec 2004
|
|
|
|
NetFacade |
|
Sun Ultra
Sparc 5 workstation running Solaris 7 |
Verizon |
http://www22.verizon.com/fns/solutions/netsec/netsec_netfacade.html |
|
The Verizon NetFacade Intrusion Detection service
creates a Honeynet that exists to alert network security or management
personnel of an intrusion. In addition, it has a secondary effect of
distracting intruders from probing and attacking the real targets on a
network. NetFacade simulates a network of hosts running seemingly
vulnerable services. A scan of the range of IP addresses the NetFacade
is simulating will return information on the simulated services as if
they were real network services running on actual hosts. Since there are
no actual users of this virtual network of simulated hosts, all traffic
to it is considered to be suspicious. All traffic to the NetFacade
Intrusion Detection service on the virtual network is logged and brought
to the attention of the Security Administrator(s). |
|
COMMERCIAL
|
Information Updated:20 Dec 2004
|
|
NetScreen IDP |
|
Appliance |
|
http://www.juniper.net/products/intrusion/detection.html# |
|
The Network
Honeypot impersonates services, sending fake information in response to
scans to try and entice attackers to access the non-existent services. An
attack is identified when the attacker returns and tries to access the
impersonated resources. There is no reason for legitimate traffic to
access these resources because they don't exist, so any attempt to connect
constitutes an attack. This is a good way to stop the "noise' created by
"script kiddies" and unsophisticated attackers. |
|
COMMERCIAL
|
Information Updated:19 Jul 2004
|
|
PatriotBox |
|
|
Alkasis
Corporation |
http://www.alkasis.com/?fuseaction=products.main |
|
Use
PatriotBox to help reduce spam
on the Internet. PatriotBox
simulates an Open Relay Mail server. Spammers think they are relaying
mail, but no mail ever leaves PatriotBox
and PatriotBox logs every move
they make. |
|
COMMERCIAL
|
Information Updated:19 Jul 2004
|
|
Sebek |
|
|
|
http://project.honeynet.org/tools/sebek/ |
|
Sebek is a data capture tool designed to capture the
attackers activities on a honeypot, without the attacker (hopefully)
knowing it. It has two components. The first is a client that runs on
the honeypots, its purpose is to capture all of the attackers activities
(keystrokes, file uploads, passwords) then covertly send the data to the
server. The second component is the server which collects the data from
the honeypots. The server normally runs on the Honeywall gateway. |
|
Free
|
Information Updated:20 Dec 2004
|
|
Smoke Detector |
|
Win 2000 |
Palisade
Systems, Inc |
http://palisadesys.com/products/smokedetector/index.shtml |
|
SmokeDetector can add another valuable layer of
protection. Able to mimic up to 19 of the most common server operating
systems on one physical box, SmokeDetector will confuse and delay a hacker
trying to reach critical information. When SmokeDetector is accessed, that
information is logged and an immediate notification is sent to the
administrator.
Emulates:
Linux - Solaris8 - HP-UX - AIX4 -
FreeBSD4 - AS/400 - WindowsNT4 -
Windows2000 - Cisco
|
|
COMMERCIAL
|
Information Updated:15 Jan 2004
|
|
Sombria |
|
|
Little eArth
Corporation |
http://www.lac.co.jp/business/sns/intelligence/sombria_e.html |
|
Sombria is a
honeypot system comprised of a web server, a firewall and an intrusion
detection system that is intended for the sole purpose of network
surveillance and research. This combination of surveillance technologies
makes it possible to control and watch intruders' movements closely and
in real time as they go about their mission without them even realizing
it. New trends in attacks detected through Sombria and all prominent
intrusions and worm attacks to which the honeypot system was exposed are
released in the form of reports. |
|
COMMERCIAL
|
Information Updated:20 Dec 2004
|
|
|
|
Specter
|
|
Agent: Windows 2000, Windows XP
Console: Windows 2000, Windows XP
|
NETSEC
|
http://www.specter.com/default50.htm
|
|
SPECTER is a smart honeypot or deception system. It
simulates a complete machine, providing an interesting target to lure
hackers away from the production machines. SPECTER offers common Internet
services such as SMTP, FTP, POP3, HTTP and TELNET which appear perfectly
normal to the attackers but in fact are traps for them to mess around and
leave traces without even knowing that they are connected to a decoy
system, which does none of the things it appears to do, but instead logs
everything and notifies the appropriate people. Furthermore, SPECTER
automatically investigates the
attackers while they are still trying to break in. SPECTER provides
massive amounts of decoy content and it generates decoy programs that will
leave hidden marks on the attacker's computer. Automated weekly online
updates of the honeypot's content and vulnerability databases allow the
honeypot to change constantly without user interaction.
|
|
COMMERCIAL
|
Information Updated: 15 Jan 2004
|
|
Tiny Honeypot |
|
Linux |
George Bakos |
http://freshmeat.net/projects/thp/ |
|
Tiny
Honeypot (thp) is a simple honey pot program based on iptables redirects
and an xinetd listener. It listens on every TCP port not currently in use,
logging all activity and providing some feedback to the attacker. The
responders are entirely written in Perl, and provide just enough
interaction to fool most automated attack tools, as well as quite a few
humans, at least for a little while. With appropriate limits (default),
thp can reside on production hosts with negligible impact on performance. |
|
GPL
|
Information Updated: 19 Jul 2004
|
|
WormRadar |
|
Windows |
Roger Thompson |
http://wormradar.com/ |
|
Welcome to the home of
WormRadar. The chart below is a summary of all worm and probe activity
detected by WormRadar nodes around the world, and is refreshed about every
30 minutes. "Summarised" means that multiple hits from a single source IP
to a single target IP on a single port, is only counted as one hit. |
|
Free
|
Information Updated: 19 Jul 2004
|
|
