Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: DShield Honeypot DShield Honeypot

Participate: Learn more about our honeypot network
https://isc.sans.edu/honeypot.html

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

DShield Honeypot

The DShield Honeypot is a low interaction honeypot that allows us to collect data for research purposes. The honeypot by default runs the following clients:

  • Collecting SSH and Telnet usernames and passwords via Cowrie
  • An HTTP honeypot collecting full http requests
  • We also collect firewall logs from the honeypot

The honeypot can be installed on a Raspberry Pi using Raspbian OS or a system running Ubuntu 20.04 LTS. For more details and up to date instructions, see our GitHub repository.

Complete Install Video via YouTube (long/thorough)

Honeypot FAQs

  • Will running a honeypot increase my risk of an attack?
    It should not. This is not an actual vulnerable system. But instead, we are using scripts like Cowrie to simulate a vulnerable system.
  • Is it useful to DShield to have a honeypot on a residential DSL/Cable connection or do you need data from large networks?
    Absolutely. We need a large number of diverse participants to make this project useful. Even a normal home connection will likely see several attacks a day.
  • Can I run the honeypot on a free AWS instance (or other cloud service)?
    Yes. The honeypot uses little resources. It should work well on a minimum cloud instanace. It needs only little disk storage. Logs are sent to DShield every 30 minutes and no longer term log storage is needed.
  • Can the honeypot be hacked? Can it be used to attack others?
    We hope not. The honeypot uses scripts to simulate vulnerable services. This is not a vulnerable machine or "full interaction" honeypot.
  • How do I report a problem or ask for help?
    Report any problems as an "issue" via GitHub. This is the best way for us to track any problems. Or use our Slack channel.