Introduction Of Honeypot

Session 16
Introduction to IDS | IPS | Honeypots
Network Security With Snort
Log Analysis
Honeypots and Attack Analysis

UTM stands for Unified THreat Management Syste is a promising technology having Firewalls, Antiviruses, IDS, IPS, Web SEcurity, Wireless SEcurity, Service Enumeration etc.

Eg. Sophos UTM 9.

IDS –> Intrusion Detection System|Servcies
It is the service which helps in detecting in any kind of intrusion and malicious activity of teh attacker in the network.
IPS –> Intrusion Prevention System|Servcies
After, once the intrusion is detected, there comes the prevention phase. In this phase, the application or the software will tell you that these are the ways in which you can prevent your system from being intruded or from being compromised.

IDS and IPS are known as the anti virus of the network –> They work on the network level.

They work on the content of the packet which are transmitted in the network.
Destination Port
Source Port
Source IP Address
Destination IP Address

SNORT –> It is considered to be the world’s best IDS and IPS used by teh corporates.
It works on the rule basis of the data and the packets.

For Installing SNORT
#apt-get install snort
For Checking the SNORT Version
#snort -V
For Starting SNORT

Rule Files
/etc/snort/rules –> where all the rules are located, of snort.


alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:”FINGER null request”; flow:to_server,established; content:”|00|”; reference:arachnids,377; classtype:attempted-recon; sid:324; rev:5;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 21
(msg:”FTP MDTM overflow attempt”; flow:to_server,established; content:”MDTM”; nocase; isdataat:100,relative; pcre:”/^MDTM\s[^\n]{100}/smi”; reference:bugtraq,9751; reference:cve,2001-1021; reference:cve,2004-0330; reference:nessus,12080; classtype:attempted-admin; sid:2546; rev:5;)

Format For Creating Snort Rules
Basic Rule Syntax
Action Protocol SourceIPAddress SourcePortNumber DirectionOfFlow DestinationIPAddress DestinationPortNuber (Body;)

alert tcp any any -> any any (msg:”Sample Alert”;)

The Rule Header
Action (log, Alert)
Protocol (TCP, UDP, IP, ICMP, any)
Source IP Address –> From where Data is originated
Source Port Number –> Port Number of the source Device
Direction Operator –> (“->” – Unidertional, “<>” – bidirectional)


Destination IP Address –> To which IP Address data is going
Destination Port Number –> To which port session is creating

Source and Destination IP Address can be variables
1. $EXTERNAL_NET –> Any IP Address which is an external IP Address, outside the organisation.
2. $HOME_NET –> Any IP Address from the inernal organisation or the intranet.

Source IP Address
1. If I want to make it specific –> instead of any, i want to give an IP Address
alert any any -> $HOME_NET any (msg:”Vallari Mittal Is Again Attacking”;)

2. If I want the source IP Address for Intranet
alert any $HOME_NET any -> any any (body;)

3. If I want the source IP Address for Internet
alert any $EXTERNAL_NET any -> any any (body;)

Same Thing Goes With Destination IP Address.

alert any any any <> any any (content:””;msg:”Imma Watson is attacking”)

alert tcp any 22 <> 22 (msg; kiki ka ssh)

We will create these rules and save them in /etc/snort/rules.
imma.rules —> rule file
But we havenot implemented those rules.
For Implementing we need to edit a configuration file of snort.

Types Of Rule Options
There are 5 types of rule Options
1. Metadata
2. Payload Data
3. Non Payload Data
4. Post Detection
5. Thresholding and suppression

It is a system designed to appear vulnerable to attackers. The goal of a Honeypot is to log all the attacker’s activity to study their behavious, log their IP Addresses, Track their locations and collect the data about 0-day exploits. The idea of Honeypot is nothing but a server that offers any kind of services to the attackers, from ssh to telnet, showing various well known exploitable ports.

Pentbox –> HoneyPot for Linux/unix based OS.
Download .tar.gz file from
Open the terminal
#cd Downloads
#tar vzxf Filename.tar.gz
#cd pentbox-1.0

Log Analysis
Syntax of Log Of A Server

IP Address | Remote Log Name | Authentication Type | TimeStamp | Access Request | Response Code | Data Transfer (Bytes) | Referrer URL | User Agent

IP Address -> –> IP Address of the visitor
Remote Log Name –> Identity Check for browser ‘-‘

Authentication –> 1. Basic Authentication
2. Integrated Authentication
3. Form Based Authentication
4. Digest Authentication

Response Code –> 5 type of responses code
1xx –> Informational resource
2xx –> Successful redirection
3xx –> Redirection
4xx –> Client Side error
5xx –> Server Side error

3 comments on “Introduction Of Honeypot
  1. I really appreciate this post. I have been looking all over for this! Thank goodness I found it on Bing. You have made my day! Thx again

  2. Hey There. I discovered your weblog the use of msn. That is a very neatly written article. I’ll make sure to bookmark it and return to read extra of your helpful information. Thanks for the post. I will certainly return.

  3. In fact no matter if someone doesn’t be awar of then itts up toother viewers that they will assist, so here it takes place.

Leave a Reply

Your email address will not be published. Required fields are marked *