Scan of the Month

Scan 30

This month's challenge is different. Traditional SotM challenges have been about analyzing specific attacks against specific honeypots. This time we are going to take a step back and look at the bigger picture. Your job is to analyze a months worth of connection activity to and from a honeynet by analyzing the firewall logs. This is where analysis of any honeynet most often begins. All entries are due Friday, 26 March. Results will be released Friday, 2 April. Find the rules and suggestions for submissions at the SotM Home Page.

Skill Level: Intermediate

The Challenge:
We provided some questions below to focus your analysis process. It is expected that the best entries will go above and beyond the questions and provide more insight on what really was going on. Also, for some of the questions there is no single "correct" answer". Even having access to full packet logs, we might not now what really took place. Thus, a good compelling argument backed by creative research methodology may count just as highly as a true answer! And earn a prize! Top 3 entries will receive a signed copy of the book Security Warrior. As a reference we provide the following key to data:

a. Honeynet IPs sanitized to: 11.11.11.*
b. Our DNS server IPs sanitized to: 22.22.22.* and 23.23.23.*

Download the Images
917c8b531c9be390c6b2aebe27174e03 honeynet-Feb1_FebXX.log.gz
8c0070ef51f6f764fde0551fa60da11b honeynet-Feb1_FebXX.log


  1. What are the high-level trends in connectivity to/from the honeynet? What was growing/decreasing? How does that match global statistics from DShield and other sources?
  2. What possible evidence of malware is there? what types? what are the malware trends you can observe?
  3. What types of reconnaissance activity you notice? What do you think they were looking for? What are some of the notorious sources of such activity in the files?
  4. What are the different scan patterns (sequential, etc) you can notice? Do you think all come from different attack tools? Any long term ("low and slow") scanning activity?
  5. What other common internet noise types do you see?
  6. Any unidentified/anomalous traffic observed? Please suggest hypothesis for why it is there and what it indicates.
  7. Was the honeypot compromised during the observed time period? How do you know?
  8. If you'd obtain such firewall logs from a production system, what source IPs or groups of such IPs you'd focus on as a highest threat?
  9. What honeypot systems were attacked the most? What ports were open on each of them? Why do you think a machines with close IP addresses were attacked differently?

Bonus Question:

  • Provide some high-level metrics about the data (such as most frequently targeted ports, etc) and make some conclusions based on them.

The Results:
This months challenge image and questions are lead by Anton Chuvakin. You can find Anton's Writeup here.

Writeup from the Security Community

Top 3

Next 03

Back to Top