HoneyPoint: A honeypot for Windows, Linux, or Mac OS X

HoneyPoint Security Server combines multiplatform support, unique features, and limitations

1 2 3 4 Page 3
Page 3 of 4

HoneyPoint administration and alerts
Another drawback: It isn't possible to assign different banners and responses to different ports that are using the same type of sensor, unless you run additional agent binaries. You can specify multiple ports per HPoint sensor type, but the same banner or response will be sent each time regardless of the port. This makes it difficult to create legitimate-looking responses across a larger number of well-known ports once you have filled up all nine HPoint sensor types.

All new connections to listening sensors are sent to the console and appear in the Alerts tab with basic information displayed. All alerts can be reviewed, acknowledged, and assigned to specific users. External alerts can be sent via email, syslog, or Windows Event messages. For email alerts, HoneyPoint has a throttling feature that allows you to limit the flow.

46TC-honeypots-honeypoint-alerts.gif

If alerts are extremely long or the data field contains binary data, the console will not display the (potentially dangerous) data for safety reasons. Instead, the HoneyPoint console provides a link to an MD5-hashed, read-only file named AlertX.txt , which can then be used to open the file for analysis. HoneyPoint does not keep or display network packet detail, although a network sniffer could probably be easily incorporated on a sensor.

Acknowledged alerts get sent to the Open Issues tab. The console allows each event to be given a tracking status: New, Open, Under Investigation, Resolved Attack, Resolved False Positive, Closed, or Ignore. Tracking the status of each alert is unique among the products reviewed and a nice touch.

46TC-honeypots-honeypoint-status.gif
1 2 3 4 Page 3
Page 3 of 4