HoneyDrive3发布后,经由Freebuf在国内一炒,顿时火了一把。具体参见 《Linux蜜罐系统HoneyDrive 3版本发布》,http://www.freebuf.com/tools/40865.html。
KippoSSH Honeypot : 在机器上模拟SSH服务,并且可以进一步提供更加真实的shell交互环境。攻击者的口令猜测记录及攻击源IP地址都会被记录,而且攻击者一旦猜测成功预先设定的用户名口令之后,便可以愚弄攻击者,伪装成真实的shell交互,只有当curl和wget会触发真实命令,去下载攻击者的文件,进行下一步分析。
Kippo:一款优秀的SSH蜜罐开源软件.pdf:http://pan.baidu.com/s/1i3KcQot
Dionaea : Dionaea 蜜罐的设计目的是诱捕恶意攻击,获取恶意攻击会话与恶意代码程序样本。它通过模拟各种常见服务,捕获对服务的攻击数据,记录攻击源和目标IP、端口、协议类型等信息,以及完整的网络会话过程,自动分析其中可能包含的 shellcode 及其中的函数调用和下载文件,并获取恶意程序。
有别于高交互式蜜罐采用真实系统与服务诱捕恶意攻击,Dionaea 被设计成低交互式蜜罐,它为攻击者展示的所有攻击弱点和攻击对象都不是真正的产品系统,而是对各种系统及其提供的服务的模拟。这样设计的好处是安装和配置十分简单,蜜罐系统几乎没有安全风险,不足之处是不完善的模拟会降低数据捕获的能力,并容易被攻击者识别。
Dionaea低交互式蜜罐部署详解:http://drops.wooyun.org/tips/640
Dionaea 低交互式蜜罐介绍:http://pan.baidu.com/s/1sjGyI7r
Glastopfweb honeypot:Glastopf is aHoneypot which emulates thousands of vulnerabilities to gather data fromattacks targeting web applications. The principle behind it is very simple:Reply the correct response to the attacker exploiting the web application.
Glastopf:Web应用攻击诱捕软件分析: http://www.2cto.com/Article/201302/189433.html
Amun: Through the use of emulated vulnerabilities Amun aims at capturingmalware in an automated fashion. The use of the scriping language Python, amodular design, and the possibility to write vulnerability modules in XML allowthe honeypot to be easily maintained and
extended to personal needs.
Amun: Automatic Capturing of MaliciousSoftware:http://pan.baidu.com/s/1dDiXrot
Conpot:Conpot is a low interactive server side Industrial Control Systemshoneypot designed to be easy to deploy, modify and extend. By providing a rangeof common industrial control protocols we created the basics to build your ownsystem, capable to emulate complex infrastructures to convince an adversarythat he just found a huge industrial complex. To improve the deceptivecapabilities, we also provided the possibility to server a custom human machineinterface to increase the honeypots attack surface. The response times of theservices can be artificially delayed to mimic the behaviour of a system underconstant load. Because we are providing complete stacks of the protocols,Conpot can be accessed with productive HMI's or extended with real hardware.Conpot is developed under the umbrella of the Honeynet Project and on the shouldersof a couple of very big giants.
Honeydlow-interaction honeypot:Honeyd is a small daemonthat creates virtual hosts on a network. The hosts can be configured to runarbitrary services, and their personality can be adapted so that they appear tobe running certain operating systems. Honeyd enables a single host to claimmultiple addresses - I have tested up to 65536 - on a LAN for networksimulation. Honeyd improves cybersecurity by providing mechanisms for threat detection andassessment. It also deters adversaries by hiding real systems in the middle ofvirtual systems.
http://www.honeyd.org/index.php
LaBreasticky honeypot:LaBrea is a intrusion detection /"sticky" honey pot technology using virtual servers to detectmalware. LaBrea takes over unused IP addresses, and creates virtual serversthat are attractive to worms, hackers, and other denizens of the Internet. Theprogram answers to connection attempts in a way that the machine at the otherend gets "stuck", sometimes for a very long time.
LaBrea works by watching ARP requests and replies. When the pgm seesconsecutive ARP requests spaced several seconds apart, without any interveningARP reply, it assumes that the IP in question is unoccupied. It then"creates" an ARP reply with a bogus MAC address, and fires it back tothe requester.
Phoneyc:Phoneyc是一个低交互式的蜜罐,用于分析针对客户端的恶意代码行为,它提供了一个javascript引擎,用来执行网页中的js代码,依据其行为特征判断该网页是否含有恶意js代码。
http://www.honeynet.org/project/PhoneyC
Thug:A complement to honeypots, a honeyclient is a tool designed to mimicthe behavior of a user-driven network client application, such as a webbrowser, and be exploited by an attacker's content.
Thug is a Python low-interactionhoneyclient aimed at mimicking the behavior of a web browser in order to detectand emulate malicious contents.
https://github.com/buffer/thug
还包括其他的一些honeypot的相关项目,主要的目的都类似,只不过不同的honeypot之间模拟的服务及实现方式可能不太相同。也包括了一个
ELK Stack(http://www.elasticsearch.org/overview/),日志监控模块。
也包括了一些实用的小工具,在对malware进行手动分析的时候,可能用的上。
以上资料都是在浩瀚的网络世界中总结收集到的,个中辛苦,实属不易。也算是对自己的一个总结。
本文由asnine首发,也是自己发的第一篇博客,排版之类的可能有些差,凑活看吧。