Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: DShield Honeypot - SANS Internet Storm Center DShield Honeypot


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

DShield Honeypot

The DShield Honeypot is a low interaction honeypot that allows us to collect data for research purposes. The honeypot by default runs the following clients:

  • Collecting SSH and Telnet usernames and passwords via Cowrie
  • An HTTP honeypot collecting full http requests (we are currenctly working on our own. For now, Apache is used
  • We also collect firewall logs from the honeypot

The honeypot can be installed on a Raspberry Pi or on most Linux systems running a Debian or Redhat based distribution. But most testing has been done with a Raspberry Pi and Ubuntu. For more details about the software, and how to install it, see our GitHub repository.

Honeypot FAQs

  • Will running a honeypot increase my risk of an attack?
    It should not. This is not an actual vulnerable system. But instead, we are using scripts like Cowrie to simulate a vulnerable system.
  • Is it useful to DShield to have a honeypot on a residential DSL/Cable connection or do you need data from large networks?
    Absolutely. We need a large number of diverse participants to make this project useful. Even a normal home connection will likely see several attacks a day.
  • Can I run the honeypot on a free AWS instance (or other cloud service)?
    Yes. The honeypot uses little resources. It should work well on a minimum cloud instanace. It needs only little disk storage as logs are sent to DShield.
  • Can the honeypot be hacked? Can it be used to attack others?
    We hope not. The honeypot uses scripts to simulate vulnerable services. This is not a vulnerable machine or "full interaction" honeypot.
  • How do I report a problem or ask for help?
    Report any problems as an "issue" via GitHub. This is the best way for us to track any problems.