Recently Viewed: Home
Scan N30:
This month's challenge is different. Traditional SotM challenges have been about analyzing specific attacks against specific honeypots. This time we are going to take a step back and look at the bigger picture. Your job is to analyze a months worth of connection activity to and from a honeynet by analyzing the firewall logs. This is where analysis of any honeynet most often begins. All entries are due Friday, 26 March . Results will be released Friday, 2 April

The Challenge:
We provided some questions below to focus your analysis process. It is expected that the best entries will go above and beyond the questions and provide more insight on what really was going on. Also, for some of the questions there is no single "correct" answer". Even having access to full packet logs, we might not now what really took place. Thus, a good compelling argument backed by creative research methodology may count just as highly as a true answer! [...]

As a reference we provide the following key to data:
a. Honeynet IPs sanitized to: 11.11.11.*
b. Our DNS server IPs sanitized to: 22.22.22.* and 23.23.23.*

Our Response
We tried to make this SotM just as funny as it was for us to solve.
To do this, we worked as a small team, with collaborative methodologies and custom developing.
We sincerely hope the reader is not going to be offended as we lack a certain preciseness and pragmatism now and then. But we deliver creativity more than a formal report like many others. This reading is going to be fresh, young, entertaining, irritating, chaotic at times, embarassing (for us and the silly ideas we threw in sometimes), enlightening (?) and, we hope, not that far from a truthful report of the events recorded in the logfile provided.
If you are interest in out methods, read on at the page ToolsUsed

What follows are instead the question of the SotM, linked to our answers.
(That is: what you were looking for while I was ranting, right ?)
Each page will be linked to other specific info, and linked back to the overviews, and linked again and again so you can take different paths or... routes. We realised afterwards (19th March as I'm writing this note) that we had indeed already written a great amont of webpages dense with reasoning, solutions, discoveries.
We present to you quite a big site wiht many pages as report of this research/analysis.
You will find explaination, but also dialogues, chat logs and our mailing and reasoning together about the SotM. You'll follow our mind paths.
In this web of information, we tried to comfort the reader placing navigation menus and relevant links on many pages (we hope most). When lost, though, the 'BACK' button is your friend ;-)

Before doing the SotM though, we did check the md5 checksums of the downloaded files.
$ md5sum honeynet-Feb1_FebXX.log
8c0070ef51f6f764fde0551fa60da11b honeynet-Feb1_FebXX.log

Questions And Answers

Question1 - What are the high-level trends in connectivity to/from the honeynet? What was growing/decreasing? How does that match global statistics from DShield and other sources?

Question2 - What possible evidence of malware is there? what types? what are the malware trends you can observe?

Question3 - What types of reconnaissance activity you notice? What do you think they were looking for? What are some of the notorious sources of such activity in the files?

Question4 - What are the different scan patterns (sequential, etc) you can notice? Do you think all come from different attack tools? Any long term ("low and slow") scanning activity?

Question5 - What other common internet noise types do you see?

Question6 - Any unidentified/anomalous traffic observed? Please suggest hypothesis for why it is there and what it indicates.

Question7 - Was the honeypot compromised during the observed time period? How do you know?

Question8 - If you'd obtain such firewall logs from a production system, what source IPs or groups of such IPs you'd focus on as a highest threat?

Question9 - What honeypot systems were attacked the most? What ports were open on each of them? Why do you think a machines with close IP addresses were attacked differently?

BonusQuestion - Provide some high-level metrics about the data (such as most frequently targeted ports, etc) and make some conclusions based on them.

Appendix A
Honeynet layout and configuration (as we could imagine/derive it, at least) - LayoutHoney
ToolsUsed and Methods
ThePeople who worked at this SotM Challenge