spacer TO LEARN THE TOOLS, TACTICS, AND MOTIVES OF THE email the Honeynet Project
Home
About the Project
Research Alliance
Challenges
Presentations
Whitepapers
Tools
Our Book
Funding/Donations
Mirrors

spacer
spacer  
Tools for Honeynets
spacer

Here you will find tools for deploying your Honeynet. All software created by The Honeynet Project is OpenSource and falls under the Revised BSD License. Software listed here not developed by the Honeynet Project must at a minimum be OpenSource. If you are deploying a honeynet, we assume you have read and understand the concepts, risks and issues disscussed in KYE: Honeynets. If you identify any bugs, issues, or have any suggestions with the code on this site, please use our Bug Server. You can find all advisories we have released in the Advisories Archives.

NOTE: The Honeynet Project makes no warranties, nor can it be held responsibe for damages caused by any tools on this website.

Last Updated: 08 August, 2005

Honeywall CDROM
The Honeywall CDROM combines all the functionality below onto a robust CDROM instllation solution. Based on our latest GenIII technologies, it automates the process of installation while giving you all the tools you need to easily manage and analyze your honeynet deployments.

rule

Data Control
Tools used to control and contain attacker activity.

  • Snort_inline: Modifications to Snort that can block or modify attacks based on matching signatures.
  • SnortConfig. Perl script developed by Brian Caswell that takes a current snort rules set and coverts them to use by snort-inline (drop, sdrop, replace). Has extensive configuration options, including the ability to change rules based on file, classification, or sid.
  • Session Limit. A modification to the OpenBSD 'pf' firewall tool. Gives you rate session limiting capabilities. This can be used in either layer3 (routing) or layer2 (bridging) mode. Developed by the Brazil team of the Honeynet Research Alliance.
  • Honeypot Bandwith Rate Limitation. Various technology and configuration options for creating network bandwidth latency or throttling. Used to limit how many packets the bad guys can send outbound from your Honeynet.

rule

Data Capture
Tools used to log and capture all attacker activity.

  • Sebek: This is the primary tool used by the Honeynet Project to capture attacker activity on honeypots.
  • mwcollect:. This is a low-interaction honeypot used to automate the collection of malware. Developed and maintained by Georg Wicherski of the German Honeynet Project.
  • Pcap_api:. Tool used primarily with the Honeywall CDROM Roo, used to interface with pcap data.

rule

Data Analysis
Tools used to analyze the data collected by honeyents.

  • Privmsg, a Perl script used to extract IRC conversations from tcpdump binary log files, very good for eliminating 'noise'.
  • HoneyInspector, an older, prototype data analysis interface used to demonstrate honeynet capabilities. This interface is now being replaced with the one that comes on the Honeywall CDROM.
  • Data Demo, A month's worth of data collected from a single Honeynet. This data is used to develop, test, and demonstrate data analysis tools.
  • Sleuthkit. Powerful, OpenSource forensic toolset for analyzing hacked systems.
  • WinInterrogate. OpenSource solutions used for win32 filesystem and process analysis.


Back to Top