UK Honeynet Project 

There has been a number of releases of new and interesting tools by members of the Honeynet Project’s and the Research Alliance over the past few weeks. In particular, the following are definitely worthy of further investigation:

HoneyC is a low interaction client honeypot / honeyclient designed emulate web clients and identify malicious servers on the web. HoneyC is developed and maintained by Christian Seifert of the NZ Chapter.

Capture-HPC is a high interaction client honeypot. A client honeypot is a security technology that allows one to find malicious servers on a network. Capture identifies malicious servers by interacting with potentially malicious servers using a dedicated virtual machine and observing its system state changes. Capture-HPC is developed and maintained by Christian Seifert of the NZ Chapter.

CaptureBAT is a behavioral analysis tool of applications for the Win32 operating system family. Capture BAT is able to monitor the state of a system during the execution of applications and processing of documents, which provides an analyst with insights on how the software operates even if no source code is available. Capture BAT monitors state changes on a low kernel level and can easily be used across various Win32 operating system versions and configurations. CaptureBAT is developed and maintained by Christian Seifert of the NZ Chapter.

Pehunter is a snort dynamic preprocessor that grabs Windows executables off the network and is it designed to sit in-line in front of high-interactive honeypots. Developed and maintained by Tillmann Werner of the German Honeynet Project.

The High Interaction Honeypot Analysis Toolkit (HIHAT) attempts to transform arbitrary PHP applications into web-based high-interaction honeypots. A typical use would be the transformation of PHPNuke, PHPMyAdmin or OSCommerce into a full functional honeypot, and HIHAT provides a graphical user interface to supports the process of monitoring the honeypot, analyzing the acquired data and generating statistics. Developed and maintained by Michael Mueter of the German Honeynet Project.

The Honeynet Project have released a new KYE white paper. KYE: Fast-Flux Service Networks describes how attackers are developing more robust and scalable networks for delivering cyber-crime, based on networks of compromises hosts with rapidly changing DNS records and layers of proxy server redirection.

Although it has been a long while coming, the Honeynet Project have finally released version 1.2 of the Roo Honeywall. This release moves the base platform to the actively maintained Fedora Core 6 OS release and adds a number of other updates, enhancements and bug fixes. Of particular interest to people running honeynets in the wild will be the default enabling of BPF filters that ensure only traffic explicitly addressed to monitored honeypots is logged.

For the last six months, David Watson has has been leading the Honeynet Project’s Global Distributed Honeynet (GDH) initiative. Phase One of the GDH initiative concluded 31/05/07, with a three month status report being delivered to members of the honeynet research community 01/07/07. We are now looking at how we release more of our findings to the public, and also how best to continue our research in future GDH phases.

The Honeynet Project has begun the process of opening its development mailing lists and svn repository up to the public, with a development wiki to follow soon too. The first project to go public is Honeysnap, led by members of the UK Honeynet Project, so please sign up if you are interested and actively using Honeysnap.

The UK Honeynet Project status report has been released for the period March 2006 – April 2007.

Honeynet Project workshop for US Navy Strategic Studies Group in Rhode Island.

Honeynet technology and malware collection presentation in York for the UK Serious Organised Crime Agency (David Watson).