Anyone running a Production Honeypot?

WeekendOC · 8 Jul 2008 at 01:46

Ok this might be an odd request but I am currently doing my dissertation and looking to see if I can gather any ‘real’ production honeypot data from a live network.

I have my own honeynet running and got some data myself but to be more precise I have a research honeypot and would like some data from a real world environment.

Does anyone here have a honeynet or honeypot server at work logging unauthorised access attempts etc?
If so could I get a copy of the log files? – I understand that the IP addresses/hostnames will have to be removed as the data would be coming from a read life network.

I am not too confident in getting any data this way, but no harm in asking

- Will wait and see if anyone can help me out before posting my email address or msn/icq/skype.

Cheers

morfmedia · 9 Jul 2008 at 19:16

Have you got in touch with the HoneyNet project, they may be able to assist. Failing that your university may have one or be willing to set one up on .ac.uk address space which I'd imagine is fairly well port scanned due to the bandwidth on SuperJanet (or whatever it is now)..

Best of luck.

IronFire · 9 Jul 2008 at 23:03

If your in any sort of studenty area create a wireless honeypot, you'll get interesting traffic in no time.

WeekendOC · 10 Jul 2008 at 11:56

Thanks for both of your replies.

morfmedia - I did send an email to the Honeynet project but as of yet had no reply.

IronFire - Yeah I might do that, but I was after more of a 'real' environment for my work. - Still I appreciate the suggestion.

Thanks again guys.

morfmedia · 10 Jul 2008 at 18:40

I'm pretty sure we run at least one at work, I'll have a word with the security team and see what they say. Don't hold your breath though

WeekendOC · 10 Jul 2008 at 18:55

hehe thanks morfmedia.

I got a reply form the HoneyNet project team but they area unable to help me as it goes against one of their policies, which I can understand.

quackers · 10 Jul 2008 at 22:23

Out of interest, what sort of kit have you got for a honeynet?

wasc · 11 Jul 2008 at 22:10

WeekendOC said:
Ok this might be an odd request but I am currently doing my dissertation and looking to see if I can gather any ‘real’ production honeypot data from a live network.

I have my own honeynet running and got some data myself but to be more precise I have a research honeypot and would like some data from a real world environment.

Does anyone here have a honeynet or honeypot server at work logging unauthorised access attempts etc?
If so could I get a copy of the log files? – I understand that the IP addresses/hostnames will have to be removed as the data would be coming from a read life network.

I am not too confident in getting any data this way, but no harm in asking

- Will wait and see if anyone can help me out before posting my email address or msn/icq/skype.

Cheers

My company runs a live production honeypot. What information are you after as I may be able to help.

WeekendOC · 14 Jul 2008 at 08:32

wasc - I am after as much info as possible... log files I guess are what I am after most but I would need to know what OS the honeypot was running on, if the honeypot was in a DMZ and if the OS was fully patched or not.

I mentioned in my first post that I am more than happy to receive log files which have had the IP addresses removed - I am guessing your work place would not be happy to release information on their network addressing.

Thanks for any help!