HoneyC FAQ
How do client honeypots differ from traditional honeypots?
Traditional honeypots passively wait to be probed, attacked, and compromised. These honeypots allow to capture active attacks, such as worms. Client honeypots turn around this situation. Instead of passively awaiting to be attacked, client honeypots actively crawl the web to search for servers that exploit the client as part of the server response.
What other open-source client honeypots exist?
Honeyclient at :
http://www.honeyclient.org/trac
and Capture at :
http://capture-hpc.sf.net
How does HoneyC differ from Honeyclient?
Honeyclient does crawl the web with a real browser (Internet Explorer) and performs the analysis for exploit based on the state of the OS. As such, it is classified as a high interaction client honeypot. HoneyC, on the other hand, uses emulated clients (e.g. wget to emulate Internet Explorer) and uses an analysis engine that might make use of an algorithm other than OS state inspection (e.g. signature matching). As such, HoneyC is classified as a low interaction client honeypot.
Further, HoneyC is a low interaction client honeypot framework, which allows to plug in different visitor clients, queuer and analysis engine algorithms.
What is the Visitor component?
The Visitor is the component responsible to interact with the server. The visitor usually makes a request to the server, consumes and processes the response. With version 1.0.0, HoneyC contains a web browser visitor component that allows to visits web servers.
What is the Queuer component?
The Queuer is the component responsible to create a queue of servers for the visitor to interact with. The queuer can employ several algorithm to create the queue of servers, such as crawling, scanning, utilizing search engines, etc. With version 1.0.0, HoneyC contains a Yahoo search queuer that creates a list of servers by querying the Yahoo Search API. A simple list queuer was added in version 1.1.2, that allows to statically set a list of server request to be put into the queue.
What is the Analysis Engine?
The Analysis Engine is the component responsible to evaluate whether security policy have been violated after the Visitor interacted with the server. This can be done by inspecting the state of the environment, analyze the response based on signatures or heuristics, etc. With version 1.0.0, HoneyC contains a simple analysis engine that generates snort fast alerts based on snort signature matching against web server responses.
Where can I obtain more information about the Snort signatures that are distributed with HoneyC?
We are making an effort to provide you with a reference as part of the Snort signature that contains additional information about the signature. However, at times we create our own signatures for which information can be obtained from here: HoneyC Snort Signature References.
How can you identify Snort signatures especially created for HoneyC?
The HoneyC Snort Signatures start with sid: 3400000.
When was the HoneyC project incepted?
July 2006
This work is licensed under a Creative Commons License