I have the last two weeks been playing around with a few low interaction honeypots. Sure it would be preferable to install a high interaction honeypot, but since im doing this on a virtual machine i didnt dare go that way. I ended up with two different systems running on the same machine, Dionaea and Kippo.
Honeywall
Althou its not necessary to use a honeywall while using low interaction honeypots i wanted to build my own honeywall for this project, wich main purpose was to log everything going in and out from the honeynet. I built my "wall" using OpenBSD-5.0 with snort-2.9.2 installed. In addition to snort, i used tcpdump and pf-logging as DCAP.
Regarding DCON i used pf to block and allow traffic to and from my honeypot. Session limit and snort_inline on outgoing connections would be preferable - but again i didnt feel this was critical for my honeynet, since i was using low interaction honeypots. (snort_inline isnt supported under obsd if i understand correctly)
So far this wall is working properly, but i need to know more about how to use my wall in a honeynet with high interaction honeypots and build a more userfriendly interface to use with snort and loggings.
Snort was a pain in the arse to install on OBSD, but eventually i got it up and running.
Kippo
Its important to change the common signatures hackers can see immediately after connecting to the "kippo".
The first guy who got access to my kippo-honeypot saw the most common signature(uptime 14 days IE), and logged off immediatly afterwards. Uptime is the first thing to change, among other things found in base.py. To make it abit more realistic i could also make a new filesystem, clone of a real file system (after you sanitize it for personal info and... what ever:-)
Dionaea
I didnt do anything after installing and start this service. So far ive captured a few binaries, and one of those binaries are unique. I find this honeypot pretty cool, but so far i havent had the time to check out all of its futures nor the complete logs. More to come regarding the logs and captured malware, hopefully.
