Honeypots as sticky as ever

Honeypots make for a great early warning system

People who know me know what a honeypot proponent I am. I run several around the world, collecting information on malware and malicious hackers, and I think every company should have one.

Companies should have a honeypot, not to learn hacker and malware tricks, but as an early warning system. All computer security defences will ultimately fail. And if they fail and a bad thing gets by your defenses, what's the next best thing? Early warning.

Take a box you're getting ready to throw away, and make it a honeypot. Stick it somewhere in your environment where it's likely to get noticed by an intruder, and tell it to page your incident response team (or you) if anything unexpected tries to connect to it. It's a fake computer asset, and nothing (once you've fine-tuned the false positives out) should ever connect to it. When something does, it's more than likely malicious. I've caught many hackers this way, identified bots that no other defenses found, and even participated in the capture of a Russian hacker. Honeypots work. They are high value and low noise. I've always been perplexed about why they haven't had stronger adoption and use in the computer security community.

Perhaps part of the problem is that the honeypot development world can be quite frozen at times. Months and months go by without any significant updates, but this month has seen a cornucopia of new developments and updates. Here are some of my favorites:

New honeypot book

Niels Provos (creator of Honeyd and senior staff engineer at Google) and Thorsten Holz have written an excellent honeypot book in " Virtual Honeypots: From Botnet Tracking to Intrusion Detection ."

As a seasoned honeypot and honeyclient professional (and honeypot book author), I had high hopes for this book -- and it delivers. Niels and Thorsten provide a solid reference to beginners and more experienced honeypot users alike. The book covers how to install and use (step by step) dozens of honeypot products.

The list of what they cover is far too long to report here, but let's say they get to 95 percent of what any honeypot enthusiast would want to read about. My favorite subjects in the book are user-mode Linux, Honeyd, Honeywall, honeyclients, collecting malware with honeypots, tracking botnets, and analyzing malware.

The only downsides I could even come up with is that the book deals with a lot of Unix/Linux-only products, just like the honeypot software world, which might be a put-off for Windows-only readers. And it didn't cover Kfsensor, my favorite Windows honeypot product. Other than that, it is an excellent, excellent book that I would recommend to any honeypot enthusiast. In the end, what I really liked about this book is its coverage of a wide range of products and its practical application to capturing and analyzing malware. It's a great addition to the books on honeypots already written by Lance Spitzner and myself.

Updated Honeyd for Windows

Honeyd, originally a Unix/Linux-only product by Niels Provos, is one of the best virtual honeypot software programs in existence. It is very flexible and useful. Michael Davis did the original Honeyd port to Windows (thank you very much, Michael), but that version didn't keep up as Windows XP and later came out. Changes in Microsoft Windows and a few other notorious bugs made it hard for me to ever recommend using Honeyd for Windows over the last year or so.

Instead, I'd suggest that people use the Unix/Linux version of Honeyd, but that meant learning new skills if you were a Windows-only person. Or they could use Kfsensor.

Jesper Jurcenoks, co-founder of netVigilance, has released an updated version of Honeyd for Windows. You can get it at the netVigilance Web site. Jesper and his company took the time to do a complete rewrite and free update of Honeyd for Windows. He even corrected one bug that remains in the Linux/Unix version to make sure it didn't get replicated to the Windows version, and netVigilance offers a US$99 GUI configurator, which can save you hours of configuring and troubleshooting. Thanks to Jesper and netVigilance (and Michael Davis for his earlier contributions) for allowing us Windows security types to play with Niels' excellent honeypot software.


CaptureBAT is a neat, free tool for Win32 honeypots that analyzes file, registry, and process information. It's an excellent addition to Sebek in that it provides far more information. It works on all Win32 systems, including Vista, and comes with the ability to exclude predefined types of activity (which is a must when you're doing real-time file and registry analysis).


Capture-HPC is a high-interaction honeyclient. The New Zealand Honeypot Project, which produced Capture-HPC, also wrote an excellent white paper on using Capture-HPC to identify malicious Web servers. The group includes the paper, data, and tools for anyone to replicate, and it inspected more than 300,000 URLs (nearly 149,000 hosts) found on 194 malicious servers. It's an interesting read.

If you haven't investigated the honeypot world in a while, this is the time to come back and get involved.

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Roger A. Grimes

Show Comments


James Cook University - Master of Data Science Online Course

Learn more >


Sansai 6-Outlet Power Board + 4-Port USB Charging Station

Learn more >



Back To Business Guide

Click for more ›

Most Popular Reviews

Latest Articles


PCW Evaluation Team

Louise Coady

Brother MFC-L9570CDW Multifunction Printer

The printer was convenient, produced clear and vibrant images and was very easy to use

Edwina Hargreaves

WD My Cloud Home

I would recommend this device for families and small businesses who want one safe place to store all their important digital content and a way to easily share it with friends, family, business partners, or customers.

Walid Mikhael

Brother QL-820NWB Professional Label Printer

It’s easy to set up, it’s compact and quiet when printing and to top if off, the print quality is excellent. This is hands down the best printer I’ve used for printing labels.

Ben Ramsden

Sharp PN-40TC1 Huddle Board

Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

Featured Content

Product Launch Showcase

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?