So you want to build your own honeypot.
Located here are links that will take you to honeypot solutions, or utilities that allow you to build your own honeypots. This is where the real fun begins.
PatriotBox. A commercial, easy to use low-interaction honeypot designed for windows.
KFSensor. A powerful and easy to use low-interaction Windows honeypot, designed primarily for detection. Extensive capabilities, including NetBIOS simulation and interoperability with Honeyd scripts. Free evaluation copies.
NetBait: A very novel and powerful commercial solution. NetBait can be a product or service. Either way, it operates by redirecting attacks against unused IP space to ‘honeypot farms’.
ManTrap: Now called Decoy Server, ManTrap is a high-interaction honeypot sold by by Symantec. ManTrap is unique in that it provides complete operating systems for attackers to interact with, capturing their every action. ManTrap has outstanding data collection capabilities. Currently only runs on Solaris.
Specter: Specter is a low-interaction honeypot designed to run on Windows. It can emulate 13 different operating systems, monitor up to 14 TCP ports, and has a variety of configuration and notification features. One of Specter’s greatest strengths is its ease of use.
OpenSource / Free Honeypots
Bubblegum Proxypot. An open proxy honeypot for deceiving and detecting spammers.
Jackpot. An open relay honeypot, also aimed at spammers.
BackOfficer Friendly: BOF is a free Windows based honeypot designed to be used as a burglar alarm. Written by Marcus Ranum and the NFR folks in 1998, BOF is extremely easy to use and runs on any Windows platform. However, it is very limited and can listen on only 7 ports. If you have never installed a honeypot before, this is a great place to start.
Bait-n-Switch. Not really a honeypot. Instead, a technology that directs all non-production or unauthorized traffic to your honeypots. Very powerful concept.
Bigeye. A low-interaction honeypot that emulates several servcies.
HoneyWeb. Emulates different types of webservers. Can dynamicaly change itself based on the type of requests.
Deception Toolkit: DTK was the first OpenSource honeypot, released in 1997. Written by Fred Cohen, DTK is a collection of Perl scripts and C source code that emulates a variety of listening services. Its primary purpose is to deceive human attackers. This tool is dated, but one of the first honeypots ever released.
LaBrea Tarpit: This OpenSource honeypot is unqiue in that it is designed to slow down or stop attacks by acting as a sticky honeypot. It can run on Windows or Unix.
Honeyd: This is a powerful, low-interaction OpenSource honeypot, released by Niels Provos in 2002. Honeyd, written in C and designed for Unix platforms, introduces a variety of new concepts, including the ability to monitor millions of unused IPs, IP stack spoofing, and simulate hundreds of operating systems, at the same time. It also monitors all UDP and TCP based ports.
You can try out Honeyd with the Honeyd Linux Toolkit. A toolkit containing all the configuration files, precompiled static binaries, and startup scripts to get Honeyd instantly up and running on your Linux computer. Based on Honeyd 0.5 with patch 001.
The Brazilian Honeynet Project has developed a Honeyd bootable CDROM. They are using it for large scale deployments of Honeyd. Its very exciting stuff, I recommend you check out there work.
Honeynets: These are entire networks of systems designed to be compromised. Honeynets are the most complext of honeypot solutions and have the greatest risk. However, they can also capture the most information of any honeypot.
Sendmail SPAM Trap. This honeypot identifies Spammers and captures their SPAM, without relaying it to any victims. Best of all, VERY easy to setup!
Tiny Honeypot. Written by George Bakos, Tiny Honeypot is unique that it always appear vulnerable. No matter what attack a hacker lanches, it will appear successful. Great tool for collecting all sorts of information on the bad guys.