Home

Awesome

The Intelligent HoneyNet

Purpose

This repository includes a shell script that will install both a honeypot server and any number of honeypots that will communicate with the server. In addition, there are several python scripts that will automatically process log files generated by various honeypots, adding the information to an Elasticsearch instance and to a Flask page.

Kibana can be configured to show dashboards for all the attack attempts, including a 'threat map', which management loves.

The Flask site, which I'm calling 'Intel' displays useful information, such as:

The honeynet server scripts use OpenDNS Investigate and Virustotal at the moment to grab information about the IP's connecting in and the domains and IP's contacted by attackers who think they're exploiting a system.

Current Honeypots

Requirements:

*The server should work on any version of Linux. *The client should be installed on Ubuntu Server 12.04 (Dionaea only seems to work on this version) Once installed, you need to add a virustotal API key to /opt/analysis/virustotal_api_key.txt and an investigate API key to /opt/analysis/investigate_api_key.txt

How to run

Clone this on a (preferably) ubuntu 12.04 server (but I've found it doesn't matter for the server portion), then cd to the IntelligentHoneyNet directory. Run 'sudo sh honeynet_setup.sh'. Answer a question or two in the beginning and do something for about 5 minutes. When it's done, follow the brief instructions that will be displayed on your screen for details on installing the honeypot clients.

There are a few hiccups that I'm working on at the moment:


Upcoming and in progress: