Distributed Honeynets Project

Staff

Albert Gonzalez
Chris Lee
Will McCammon

Links

Honeynet Project
Snort
Prelude
CERT
Samhain
The Coroner's Toolkit

Main

[20080525] - We moved our mail/web/ftp services to a xen virtual machine running on a dual amd board with over 500Gb of disk space at a university participating in the project. Our thanks for such a generous donation of time, expertise, hardware, and bandwidth. Unfortunately we lost the listserv during the move. We should have this back online for group discussions soon. Please join us on freenode for updated information on the project.

[20071224] - There's a new listserv available for facilitating discussion among project participants. Please email mailman@distributed.honeynets.org with "subscribe discussion" in the message body. We look forward to hearing from you!

[20070125] - We've added a new dimension to the honeynet with CARP. Each gateway added to the honeynet becomes a member of the carp group which allows us to share a single default route with redundant pathways to the Internet. If one gateway on the VPN fails, the next gateway in the carp group will route outbound packets. We're still working on a way to share outside ip addresses on our respective gateways. This will enable us to forward packets from multiple world-routable subnets into the honeynet while maintaining state on each firewall with respect to outside connections.

[20070124] - For those interested in enjoying the Honeynet, please e-mail participate@distributed.honeynets.org. Thanks

[20070116] - The Distributed Honeynets Project hit the news in recent days, Kelly Jackson Higgins did a piece on us at darkeading.com. There was also a blog entry regarding the "The Sting" when we chased down an attacker on IRC and engaged in conversation. You can read the article here: Fake VPN Tempts fate. You can also read the blog entry at: The Sting.

[20070112] - The honeynet has been up and running for over a week. We're using openbsd 4.0 gateways connecting a 10/24 network over a bridged ipsec virtual private network. We've got snort sensors on each gateway dumping alerts into a prelude database using a mysql server for primary storage and xml logs in idmef format as backup. All traffic is stored on the gateways in pcap format with files rotated on a daily basis. We've had at least 2 successful break-ins with analysis currently underway.

[20060220] - The #honeynets channel log is now available from the main menu. It includes chat logs to a mysql database inserted by honeybot from 20050212 forward. You may search by date using the popup calendar or menu. The search feature has been tested to work with firefox-1.0.7 and lynx-2.8.5, a text-based web browser.

[20060214] - We recently joined a logging bot named "honeybot" to the #honeynets channel on freenode.net. All conversations on the channel are logged to a mysql database. We're currently working on integrating the irc logs into the website so that other people can review our conversations online. Eventually, we will include a search feature for the log. Only dates, nicks, and public messages will be posted to the website. Originating IP addresses and usernames from users that converse on the channel are logged for internal research purposes only and will not be published. Private messages are not logged.

[20060211] - The Distributed Honeynets Project has been active for quite sometime now. However, we recently decide to launch an official project website in order to publicise our efforts and encourage others to join. Please read the introduction to better familiarize yourself with our purpose and mission. Feel free to chat with us on irc or send an email.