Public Honeypot Data Sources

TL;DR

Yes! Several public honeypots share their logs. These are great for learning about cyber security threats, researching attacker behaviour, and building detection rules. This guide lists some useful sources and how to access them.

Finding Public Honeypot Logs

1. Honeynet Project: The original honeynet project provides various resources, including data from their deployments.
   • Website: https://www.honeynet.org/
   • They often publish research papers and datasets based on collected logs. Check their publications section for available data.
2. Malware Traffic Analysis: This site collects netflow data from honeypots.
   • Website: https://malwaretraficanalysis.net/
   • Data is available in PCAP format, which you can analyse with tools like Wireshark or tcpdump.
3. Project Honeypot: Focuses on IP reputation and provides data feeds.
   • Website: https://www.projecthoneypot.org/
   • They offer several services, including DNSBLs (DNS Blacklists) and HTTPBLs. You can use their data to block malicious IPs in your firewall or intrusion detection system.
4. Cuckoo Sandbox: While not a direct log source, Cuckoo is an automated malware analysis system. Many public instances share reports.
   • Website: https://cuckoosandbox.org/
   • Check sites like Hybrid Analysis which often use Cuckoo and share reports publicly.
5. Team Cymru: Provides various threat intelligence feeds, including data from their honeypots.
   • Website: https://team-cymru.com/
   • Requires registration for some services but offers valuable information about botnets and malicious IPs.
6. DShield: A collaborative cyber security project that collects data from various sources, including honeypots.
   • Website: https://dshield.org/
   • Provides raw connection logs and alerts. You can download the data in various formats.

Analysing Honeypot Logs

1. Wireshark: A popular network protocol analyser.
   • Download from: https://www.wireshark.org/
   • Open PCAP files and filter traffic based on IP addresses, ports, or protocols.
2. tcpdump: A command-line packet analyser.
   • Useful for capturing live traffic or analysing PCAP files on a server.
   • Example to capture traffic on port 80:

     sudo tcpdump -i eth0 port 80

3. Elasticsearch/Kibana: A powerful log management and visualisation platform.
   • Ingest honeypot logs into Elasticsearch and use Kibana to create dashboards and visualisations.

Important Considerations

• Data Volume: Honeypot logs can be large, so ensure you have sufficient storage space.
• Privacy: Be mindful of any personally identifiable information (PII) that may be present in the logs and handle it responsibly.
• Accuracy: Public honeypots are not always representative of real-world attacks. Use them as a learning tool, but don’t rely on them solely for security decisions.