The New Zealand HoneyNet Project

honey project
creative commons
RSS Feed 2.0

Capture is a high interaction client honeypot. A client honeypot is a security technology that allows one to find malicious servers on a network. Capture identifies malicious servers by interacting with potentially malicious servers using a dedicated virtual machine and observing its system state changes. If an system state change is detected, since no other activity occurs on the dedicated client machine, the server Capture interacted with is classified as malicious.

High level overview of Capture

•  Capture Server/Capture Client architecture allows one to control numerous Capture clients on the localhost as well as remote hosts.

•  Ability to monitor the file system, registry, process of a system on a kernel level.

•  Capability of automatically controlling web browsers to visit a website. Once a malicious web site has been identified, Capture is able to reset the virtual machine to a clean state to allow for interaction with additional servers using that virtual machine.

•  Centralized logs keeps track of which links have not been visited and which have, server classifications and state changes incurred by visiting malicious servers.

Capture takes time and resources to install and configure correctly. We have created two web services, called SCOUT and PATROL, that allows you to submit URLs to our installation of Capture. SCOUT allows end users to submit suspicious URLs to the client honeypot and receive an immediate assessment on whether the URL is malicious or benign. PATROL, on the other hand, is a web service designed for web masters. It allows them to submit their URLs for periodic monitoring by our client honeypot.