I want to create a high-interaction honeypot and I need a program that will do the following:
In the previous section we briefly introduced several methods to
collect additional information at the host system. This provides more
information about cyber attacks, but the most valuable information can
be collected at the honeypot itself — within the guest virtual
machine. If we are able to closely monitor this system, we can, for
example, observe what the attacker is typing, which tools he is
executing and how he is escalating his privileges. Here is another
example of why we must closely monitor the virtual honeypot: Imagine
that the attacker uses an encrypted session via SSH to connect to the
honeypot. If he then downloads additional tools via an SSL-encrypted
website, the network dumps collected at the guest system are pretty
useless. Since the complete session is encrypted and we do not know
the correct key to decrypt the network stream, the tcpdump logs are
rather useless to us. However, if we can observe the keystrokes and
everything else at the honeypot itself, we can see which commands the
attacker executes within the SSH session and which tools he downloads
from the SSL-encrypted website. This way we can learn more about his
procedures and study the attacker in more detail.
This excerpt is from “Virtual Honeypots – From Botnet Tracking to Intrusion Detection”. It’s pretty old and it sugests I use a program called Sebek to do what it says in the excerpt.
Sebek is pretty old and I can’t find it in the link given by the book (http://www.honeynet.org/tools/sebek).
Is there any modern (and preferably free) software that will do this?
Alternatively, could I use some open source virus or create something with, for example, Metasploit that will do this?
Thanks in advance.
Continue reading Software to monitor everything that happens in Honeypot, or is there an equivalent of Sebek? [on hold]→