Honeypots Made Easy: Mercury

[Crushdepth]

Mercury is a modified Ubuntu 10.04 image that comes with several honeypot tools pre-configured. Includes HoneyD and Dionaea, amongst others. I've found some tools really painful to set up, this is quite a convenient way to experiment with the different options. Just the thing for Virtualbox Edited March 17, 2011 by Crushdepth

[urandom]

"I feel some disturbance in the Force"

-- a random Soi8 customer at next linux meeting

[justsumhelp]

My god wireshark must make you jizz

[Crushdepth]

Not exactly, no.

[justsumhelp]

How exactly do you play with these honeypots? virtualbox,, really?

Not exactly, no.

[Crushdepth]

I have them running in a virtual machine on my desktop, which has a bridged network adapter so it appears as an independent machine on the LAN. The idea is to use it to help detect malware infections on the network. If anything tries to connect to the honeypot and copies junk onto it then I know we have a problem and can identify the infected machine and/or troublemaker responsible.

[justsumhelp]

I apologize for the short and rude comments, I should stay away from posting when im drunk. I understand your situation, but unless that desktop stays running all the time the honeypot will not catch as many flies, also you run the (theoretical) risk of an exploit that leaves the virtual machine and infects the host or an attacker just exploiting virtualbox itself (not theoretical) e.g. http://www.juniper.n.../vuln34080.html , so if you do run a virtual machine i suggest virtualbox OSE and always keep it updated.

I have them running in a virtual machine on my desktop, which has a bridged network adapter so it appears as an independent machine on the LAN. The idea is to use it to help detect malware infections on the network. If anything tries to connect to the honeypot and copies junk onto it then I know we have a problem and can identify the infected machine and/or troublemaker responsible.

[Crushdepth]

No problem I've done that before :-)

I do leave my home/work PCs running constantly (Windows), and both have Linux virtual machines running in Virtualbox constantly as well. The honeypot VM is not used for anything else, I do my actual work in a separate VM to keep it quarantined. I agree it would be better to have the honeypot on a separate physical machine, but work is not very generous with hardware and it's only exposed to our internal network.

[justsumhelp]

A safer method would but to run an intrusion detection system (IDS) many of the security based livecd's have the tools included e.g. http://www.snort.org/, is a very robust tool.