RE: High interaction Windows Honeypot

Is anyone working on a Sebek3 program for Windows?

Cosmin

-----Original Message-----
From: Thorsten Holz [mailto:thorsten.holz_at_mmweg.rwth-aachen.de]
Sent: Monday, August 08, 2005 11:07 AM
To: honeypots_at_securityfocus.com
Subject: Re: High interaction Windows Honeypot

Ahmed Ameen wrote:
> Hello All,
> I am currently planning for my CS thesis which I decided to do on
> Windows Honeypots. I was wondering if anyone has experience on
> building a high interaction honeypot using a windows environment and
> VMware.

Some experience from me and the German Honeynet Project:

* For the Honeywall, the easiest way to setup is the Honeywall CDROM Roo
(http://www.honeynet.org/tools/cdrom/). This is Linux-based, but that
should be no big problem. Just boot a computer with three interfaces
(two also works, but for management a dedicated interface is best) and
within 20 minutes your are done. Customization is very easy and the
web-interface allows you to monitor what's going on. If you really need
it, you can also install the Honeywall "by Hand", but that's rather
time-consuming...

* Unfortunately, no Sebek version 3.x exists for Windows yet. It is in
development, but not ready up to now. So you have to use Sebek version
2.x (http://www.honeynet.org/tools/sebek/2/sebek-win32-2.1.5.zip). Just
install Windows and you are basically done. If you don't apply some
patches, a default installation of Windows will be compromised by a bot
in an automated way within several minutes...

* If you want to setup a virtual honeynet, just follow the steps
outlined in the paper "Virtual Honeynet: Deploying Honeywall using
VMware" (http://www.honeynet.org.pk/honeywall/) written by the Pakistan
Honeynet Project.

Cheers,
   Thorsten

-- 
No virus found in this incoming message.
Checked by AVG Anti-Virus.
Version: 7.0.338 / Virus Database: 267.10.2/65 - Release Date: 8/7/2005