A honeypot is a decoy IT infrastructure or application component that is deployed to be attacked. It can take the form of a system, a network or an app, and may be implemented as a real or emulated resource. Since a honeypot has no other purpose, every attempt to interact with it is suspicious.
Honeypots can help discover malicious activities at a lower rate of false positives than traditional intrusion detection approaches. Honeypots can also slow down and mislead the attacker by automatically providing slow responses or incorrect information. Lastly, the logs and artifacts collected by honeypots can be used to learn about the attacker’s capabilities and intentions.
Here are several freely-available honeypot tools specialized for understanding SSH, web and malware attacks:
- Kippo is an SSH honeypot that can log brute force attacks, where remote the remote attempts to guess logon credentials of an SSH server. Best of all, Kippo is able to record and replay the attacker’s interactions with the emulated shell on the fake SSH server.
- Glastopf is a web application honeypot. It emulates often-exploited web vulnerabilities, such as remote and local file inclusion and SQL injection. Glastopf examines the attacker’s HTTP request and attempts to respond according to expectations to, for instance, download malicious files.
- Dionaea is a honeypot for collecting malware. It emulates vulnerabilities in Windows services often targeted by malware, such as SMB, HTTP, TFP and FTP. Dionaea’s handling of the SMB protocol is particularly liked by researchers, as is its ability to emulate the execution of the attacker’s shellcode.
In addition to these honeypot tools, you might also explore Honeywall, Honeyd, and INetSim. Additional malware-focused honeypot tools are Omnivora and Amun. For additional pointers, see Wikipedia articles on Honeypots and Client Honeypots. An excellent book on this topic is Virtual Honeypots: From Botnet Tracking to Intrusion Detection by Niels Provos and Thorsten Holz.