HoneyPoint: Honeypot for Windows, Linux or Mac
- 18 November, 2010 05:47
After over 10 years of active participation in the honeypot community, I was surprised not to have heard of MicroSolved's HoneyPoint Security Server before I started planning this roundup. HoneyPoint runs on Windows, Linux, and Mac OS X, and offers some useful features -- such as "defensive fuzzing" and the ability to track alert status -- that KFSensor and Honeyd don't. But HoneyPoint is neither as easy and complete as KFSensor, nor as flexible and scalable as Honeyd.
HoneyPoint's sensors, called HPoints, consist of HoneyPoints and HornetPoints. HoneyPoints are traditional honeypots with fake listening services and banners. HornetPoints are HoneyPoints that actively try to slow down malware and malicious hacking tools using defensive fuzzing, which is otherwise known as "tarpitting" in the computer security world. HoneyPoints and HornetPoints connect back to a centralized HoneyPoint Security Console; the data sent from the HPoints is encrypted to the console using 128-bit Blowfish.
Additionally, MicroSolved offers HoneyPoint Trojans and HoneyBees. HoneyPoint Trojans are red herring binary programs (custom created by MicroSolved when requested by the customer) that an attacker might be tricked into executing; the Trojan then connects back to the console, alerting the admin to the presence and location of the attacker. HoneyBees are programs that simulate unencrypted POP3 and HTTP connections, in order to create bogus authentication traffic that an attacker might sniff.
These are slightly interesting features, but they are useful only in certain scenarios: when the attacker has installed sniffers; when the sniffer is operating on the right network connections or the attacker has disabled the switched segments; or when the attacker is looking for POP3 or HTTP traffic. In short, they rely on a number of contingencies.