We provided some questions below to focus your analysis process. It is
expected that the best entries will go above and beyond the questions
and provide more insight on what really was going on. Also, for some
of the questions there is no single "correct" answer". Even having
access to full packet logs, we might not now what really took
place. Thus, a good compelling argument backed by creative research
methodology may count just as highly as a true answer! And earn a prize!
Top 3 entries will receive a signed copy of the book
As a reference we provide the following key to data:
a. Honeynet IPs sanitized to: 11.11.11.*
b. Our DNS server IPs sanitized to: 22.22.22.* and 23.23.23.*
Download the Images
- What are the high-level trends in connectivity to/from the honeynet?
What was growing/decreasing? How does that match global statistics from
DShield and other sources?
- What possible evidence of malware is there? what types? what are the
malware trends you can observe?
- What types of reconnaissance activity you notice? What do you think
they were looking for? What are some of the notorious sources of such
activity in the files?
- What are the different scan patterns (sequential, etc) you can notice?
Do you think all come from different attack tools? Any long term ("low and
slow") scanning activity?
- What other common internet noise types do you see?
- Any unidentified/anomalous traffic observed? Please suggest hypothesis
for why it is there and what it indicates.
- Was the honeypot compromised during the observed time period? How do you
- If you'd obtain such firewall logs from a production system, what source
IPs or groups of such IPs you'd focus on as a highest threat?
- What honeypot systems were attacked the most? What ports were open on
each of them? Why do you think a machines with close IP addresses were
- Provide some high-level metrics about the data (such as most frequently
targeted ports, etc) and make some conclusions based on them.
This months challenge image and questions are lead by Anton Chuvakin. You
can find Anton's Writeup here.
Writeup from the Security Community