Honey pot

New Member

Honey pot

I'm student of MIT,
My project is about Honey pot but I have no idea about that.
I'd like to know:
1.Which language is better to write a honey pot?
2.How can I sniff packets from the network.
3.How can I understand which packet is intrusion and which is not?
4.How can I learn from the intrusions and save them?
anybody help me?
thank you inadvance
Steven E. Protter
Exalted Contributor

Re: Honey pot

As i recall honeypot is a fire/wall/network type package

1) I'd use ethereal as a sniffer its free
2) I'd use iptables as a firewall, its free and more widely supporeted.

3) This is partially based on experience, but packets originating from anauthorized sources are bad, to figure this out, you need to know your network environment.

Steven E Protter
Owner of ISN Corporation
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
Robert-Jan Goossens
Honored Contributor

Re: Honey pot


Check this article,


Honored Contributor

Re: Honey pot


Honeypot is a system connected to Insecure network hosting (fakely vulnerable)virtual network services and logging all network and system activities to a secure log server.

The idea is to attract hackers to hack our honeypot. The objectives are to study and analyze the latest exploits used by hackers, obtain forensic data and to divert hackers from production servers.

hackers must be misled by the honeypot as a real system to hack and the greatest design challenge of a Honeypot is it's level deception in the eyes of hackers.

You can write a honeypot in any language. The secure coding and logic are the major concerns. C and C++ recommended over perl considering coding standards and performance.

In a honeypot you need not sniff the packets as the traffic must be point-to-point. viz. from the honeypot to hackers system. But you can have implementations where honeypot must spoof and answers traffic to unused IP addresses in a subnet using ARP spoofing methods. In this cases use socket APIs like libnet etc to inject ARP packets.

Activities in honeypot needed be classified ( intrusive or non-intrusive ) before logging. All activities must be logged.

After logging , it will be the work of the forensic analyst or automated log parser to analyze the logs in the log server for categorization based on attacks. To learn about intrusions you must study the attacks pattern databases available in cert.org, sans.org and must be able to correlate the attacks in realtime situations.



Innovations are made when conventions are broken
Martin P.J. Zinser
Honored Contributor

Re: Honey pot



might proof a good starting point. Do not try to cheat and use the program given there, from what I have heard the guys at MIT are not idiots and would catch you ;-)

Greetings, Martin
Olivier Drouin
Trusted Contributor

Re: Honey pot