Honeypots as sticky as ever

Honeypots make for a great early warning system

People who know me know what a honeypot proponent I am. I run several around the world, collecting information on malware and malicious hackers, and I think every company should have one.

Companies should have a honeypot, not to learn hacker and malware tricks, but as an early warning system. All computer security defences will ultimately fail. And if they fail and a bad thing gets by your defenses, what's the next best thing? Early warning.

Take a box you're getting ready to throw away, and make it a honeypot. Stick it somewhere in your environment where it's likely to get noticed by an intruder, and tell it to page your incident response team (or you) if anything unexpected tries to connect to it. It's a fake computer asset, and nothing (once you've fine-tuned the false positives out) should ever connect to it. When something does, it's more than likely malicious. I've caught many hackers this way, identified bots that no other defenses found, and even participated in the capture of a Russian hacker. Honeypots work. They are high value and low noise. I've always been perplexed about why they haven't had stronger adoption and use in the computer security community.

Perhaps part of the problem is that the honeypot development world can be quite frozen at times. Months and months go by without any significant updates, but this month has seen a cornucopia of new developments and updates. Here are some of my favorites:

New honeypot book

Niels Provos (creator of Honeyd and senior staff engineer at Google) and Thorsten Holz have written an excellent honeypot book in " Virtual Honeypots: From Botnet Tracking to Intrusion Detection ."

As a seasoned honeypot and honeyclient professional (and honeypot book author), I had high hopes for this book -- and it delivers. Niels and Thorsten provide a solid reference to beginners and more experienced honeypot users alike. The book covers how to install and use (step by step) dozens of honeypot products.

The list of what they cover is far too long to report here, but let's say they get to 95 percent of what any honeypot enthusiast would want to read about. My favorite subjects in the book are user-mode Linux, Honeyd, Honeywall, honeyclients, collecting malware with honeypots, tracking botnets, and analyzing malware.

The only downsides I could even come up with is that the book deals with a lot of Unix/Linux-only products, just like the honeypot software world, which might be a put-off for Windows-only readers. And it didn't cover Kfsensor, my favorite Windows honeypot product. Other than that, it is an excellent, excellent book that I would recommend to any honeypot enthusiast. In the end, what I really liked about this book is its coverage of a wide range of products and its practical application to capturing and analyzing malware. It's a great addition to the books on honeypots already written by Lance Spitzner and myself.

Updated Honeyd for Windows

Honeyd, originally a Unix/Linux-only product by Niels Provos, is one of the best virtual honeypot software programs in existence. It is very flexible and useful. Michael Davis did the original Honeyd port to Windows (thank you very much, Michael), but that version didn't keep up as Windows XP and later came out. Changes in Microsoft Windows and a few other notorious bugs made it hard for me to ever recommend using Honeyd for Windows over the last year or so.

Instead, I'd suggest that people use the Unix/Linux version of Honeyd, but that meant learning new skills if you were a Windows-only person. Or they could use Kfsensor.

Jesper Jurcenoks, co-founder of netVigilance, has released an updated version of Honeyd for Windows. You can get it at the netVigilance Web site. Jesper and his company took the time to do a complete rewrite and free update of Honeyd for Windows. He even corrected one bug that remains in the Linux/Unix version to make sure it didn't get replicated to the Windows version, and netVigilance offers a US$99 GUI configurator, which can save you hours of configuring and troubleshooting. Thanks to Jesper and netVigilance (and Michael Davis for his earlier contributions) for allowing us Windows security types to play with Niels' excellent honeypot software.


CaptureBAT is a neat, free tool for Win32 honeypots that analyzes file, registry, and process information. It's an excellent addition to Sebek in that it provides far more information. It works on all Win32 systems, including Vista, and comes with the ability to exclude predefined types of activity (which is a must when you're doing real-time file and registry analysis).


Capture-HPC is a high-interaction honeyclient. The New Zealand Honeypot Project, which produced Capture-HPC, also wrote an excellent white paper on using Capture-HPC to identify malicious Web servers. The group includes the paper, data, and tools for anyone to replicate, and it inspected more than 300,000 URLs (nearly 149,000 hosts) found on 194 malicious servers. It's an interesting read.

If you haven't investigated the honeypot world in a while, this is the time to come back and get involved.

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.
Roger A. Grimes

Roger A. Grimes

Show Comments

Cool Tech

Toys for Boys

Family Friendly

Stocking Stuffer

SmartLens - Clip on Phone Camera Lens Set of 3

Learn more >

Christmas Gift Guide

Click for more ›

Brand Post

Most Popular Reviews

Latest Articles


PCW Evaluation Team

Michael Hargreaves

Microsoft Office 365/Dell XPS 15 2-in-1

I’d recommend a Dell XPS 15 2-in-1 and the new Windows 10 to anyone who needs to get serious work done (before you kick back on your couch with your favourite Netflix show.)

Maryellen Rose George

Brother PT-P750W

It’s useful for office tasks as well as pragmatic labelling of equipment and storage – just don’t get too excited and label everything in sight!

Cathy Giles

Brother MFC-L8900CDW

The Brother MFC-L8900CDW is an absolute stand out. I struggle to fault it.

Luke Hill


I need power and lots of it. As a Front End Web developer anything less just won’t cut it which is why the MSI GT75 is an outstanding laptop for me. It’s a sleek and futuristic looking, high quality, beast that has a touch of sci-fi flare about it.

Emily Tyson

MSI GE63 Raider

If you’re looking to invest in your next work horse laptop for work or home use, you can’t go wrong with the MSI GE63.

Laura Johnston

MSI GS65 Stealth Thin

If you can afford the price tag, it is well worth the money. It out performs any other laptop I have tried for gaming, and the transportable design and incredible display also make it ideal for work.

Featured Content

Product Launch Showcase

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?