• Conpot
  • Conpot is an ICS honeypot with the goal to collect intelligence about the motives and methods of adversaries targeting industrial control systems.

  • Wordpot
  • Wordpot is a WordPress honeypot which detects probes for plugins, themes, timthumb and other common files used to fingerprint a wordpress installation.

  • Shockpot
  • Shockpot is a web app honeypot designed to find attackers attempting to exploit the Bash remote code vulnerability, CVE-2014-6271.

  • p0f
  • P0f is a tool that utilizes an array of sophisticated, purely passive traffic fingerprinting mechanisms to identify the players behind any incidental TCP/IP communications (often as little as a single normal SYN) without interfering in any way.

  • Suricata
  • Suricata is capable of real time intrusion detection (IDS), inline intrusion prevention (IPS), network security monitoring (NSM) and offline pcap processing.

  • Glastopf
  • Glastopf is a Python web application honeypot, that collects information about web application-based attacks like for example remote file inclusion, SQL injection, and local file inclusion attacks.

  • ElasticHoney
  • Elastichoney is a simple elasticsearch honeypot designed to catch attackers exploiting RCE vulnerabilities in elasticsearch.

  • Amun
  • Amun was the first python-based low-interaction honeypot, following the concepts of Nepenthes but extending it with more sophisticated emulation and easier maintenance.

  • Snort
  • Snort is an open source intrusion prevention system capable of real-time traffic analysis and packet logging.

  • Cowrie
  • Cowrie is a medium interaction SSH and Telnet honeypot designed to log brute force attacks and the shell interaction performed by the attacker.

  • Dionaea
  • Dionaea is meant to be a nepenthes successor, embedding python as scripting language, using libemu to detect shellcodes, supporting ipv6 and tls.

Basic Snort admin

Run Snort
sudo snort

Run Snort with preprocessors configured
sudo snort -v -c /etc/snort/snort.conf

Location of Snort.conf file

Location of alert log file

Location of snort log file

Check Snort version
sudo snort -V

Edit local rules
sudo nano /etc/snort/rules/local.rules

Understanding the Snort alert log

Snort is an open-source, free and lightweight network intrusion detection system (NIDS) software for Linux and Windows to detect emerging threats.

Below is an example event from the Snort alert file from /var/log directory:

[**] [1:2403478:40303] ET CINS Active Threat Intelligence Poor Reputation IP TCP group 90 [**]
[Classification: Misc Attack] [Priority: 2]
05/06-22:28:32.932399 XX.XX.XX.XX:xx -> XX.XX.XX.XX:xx
TCP TTL:238 TOS:0x0 ID:43490 IpLen:20 DgmLen:40
******S* Seq: 0xB035D03C Ack: 0x0 Win: 0x400 TcpLen: 20
[Xref => http://www.networkcloaking.com/cins][Xref => http://www.cinsscore.com]

The alert log entry can be broken down as the following:

[**] [1:2403478:40303]
The Detection mechanism, Signature ID (SID) and signature revision. The SID (the middle number) has information about most of the signatures. The revision is minor release version of the signature.

If the SID is less than 1000000, this is a SourceFire signature (https://www.snort.org/rule_docs). If the SID is between 1000000 and 2000000, this is a snort community rule. If the SID is between 2000000 and 3000000, this is an Emerging Threats signature (https://emergingthreats.net). Lastly, if the SID is any other range, it will be a custom signature.

ET CINS Active Threat Intelligence Poor Reputation IP TCP group 90
This is one example of a Snort signature. In this case, the Emerging Threat (ET) from the CINS Active Threat Intelligence – Sentinel IPS engine, and has detected a bad IP classification based on poor IP reputation (widely reported and blocked IPs).

[Classification: Misc Attack] [Priority: 2]
The classification of the signature, in this case the signature is classed as an miscellaneous attack with a priority of 2. Snort priorities range from 0 (lowest priority) up to 10 (highest priority.

05/06-22:28:32.932399 XX.XX.XX.XX:xx -> XX.XX.XX.XX:xx
The month/day and timestamp of the signature event followed by the source IP address with port number, to the destination port number. Example denotes XX.XX.XX.XX as the IP address and :xx as the port number.

TCP TTL:238 TOS:0x0 ID:43490 IpLen:20 DgmLen:40
The IP header for the signature event. Displays the Time-to-Live (TTL), Type of Service (TOS), identifier (ID), the IP length (IpLen) and the datagram length – inclusive of headers and payload (DgmLen).

******S* Seq: 0xB035D03C Ack: 0x0 Win: 0x400 TcpLen: 20
The IP header flags (S for SYN), the IP sequence ID (seq), Acknowledgement (ACK), sequence window (Win) and the TCP length (TcpLen).

[Xref => http://www.networkcloaking.com/cins][Xref => http://www.cinsscore.com]
The signature reference for further information.