spacer [an error occurred while processing this directive]
About the Project
Research Alliance
Our Book

Scan of the Month

Scan 34

This Challenge led by netForensics Honeynet team lead Anton Chuvakin is related to analyzing various log files from a honeynet in order to determine whether it was compromised, if so how, as well as to identify various trends in the honeynet activity. All entries are due Monday May 9. Results will be released Monday May 23. Find the rules and suggestions for submissions at the SotM Home Page.

NOTE: On 12 April, two minor corrections were made. First is we updated the docs to reflect the sanitization address is 11.11.*.*. Second, we appended a statement to question #3.

Skill Level: Intermediate

The Challenge:
We provided some questions below to focus your analysis process. It is expected that the best entries will go above and beyond the questions and provide more insight on what really was going on. As usual, a good compelling argument backed by creative research methodology may count just as highly as a true answer. You can also earn a prize for your analysis! The top entry will receive a signed copy of the book Security Warrior by Anton Chuvakin. As a reference we provide the following key to data:

a. Honeynet IPs sanitized to: 11.11.*.*
b. Our DNS server IPs sanitized to: 22.22.22.* and 23.23.23.*
c. Some other sensitive IPs are sanitized to: 10.22.*.*

Download the Images
b23755326714e39cac91ca881f1ca668 SotM34-anton.tar.gz [MD5]
5e006e9503801dde2d57e44281d784c516601c35 SotM34-anton.tar.gz [SHA1]

The evidence includes:

  • Apache logs
  • Linux syslogs
  • Snort NIDS logs
  • iptables firewall logs


  1. What are the significant events that happened on the honeypot in the time period covered by the logs? Show how you analyzed the data to paint the picture of those events.
  2. Was the system compromised? How do you know? If yes, how many times and by how many attackers? What would you consider the most compelling evidence of the compromise available if you find that the system was indeed compromised?
  3. If this were the evidence from a production system, how would you learn that the machine was compromised, given the data available? For this question, assume you do not have the honeynet-specific data streams, such as sebek2 or bash logger, just like in this challenge.
  4. What else was going on at the system at the same time? What times of "Internet noise" can you categorize, given the data? Is there anything out of the ordinary with the noise levels? What attack and probe types observed actually had a chance of affecting the target?
  5. Do you think that the time was synchronized between the various monitoring systems (where Snort and iptables logs were collected) and a victim system(where syslog and Apache logs were collected)?

Bonus Question:

  • Describe the procedures and tools of that you used to analyzed all the distinct log sources together.

The Results:
Anton Chuvakin has provided an official writeup here.

Writeup from the Security Community

Top 3

Back to Top