HoneyPoint: A honeypot for Windows, Linux, or Mac OS X
HoneyPoint Security Server combines multiplatform support, unique features, and limitations
Columnist, InfoWorld |
After over 10 years of active participation in the honeypot community, I was surprised not to have heard of MicroSolved's HoneyPoint Security Server before I started planning this roundup. HoneyPoint runs on Windows, Linux, and Mac OS X, and offers some useful features -- such as "defensive fuzzing" and the ability to track alert status -- that KFSensor and Honeyd don't. But HoneyPoint is neither as easy and complete as KFSensor, nor as flexible and scalable as Honeyd.
HoneyPoint's sensors, called HPoints, consist of HoneyPoints and HornetPoints. HoneyPoints are traditional honeypots with fake listening services and banners. HornetPoints are HoneyPoints that actively try to slow down malware and malicious hacking tools using defensive fuzzing, which is otherwise known as "tarpitting" in the computer security world. HoneyPoints and HornetPoints connect back to a centralized HoneyPoint Security Console; the data sent from the HPoints is encrypted to the console using 128-bit Blowfish.
Additionally, MicroSolved offers HoneyPoint Trojans and HoneyBees. HoneyPoint Trojans are red herring binary programs (custom created by MicroSolved when requested by the customer) that an attacker might be tricked into executing; the Trojan then connects back to the console, alerting the admin to the presence and location of the attacker. HoneyBees are programs that simulate unencrypted POP3 and HTTP connections, in order to create bogus authentication traffic that an attacker might sniff.
These are slightly interesting features, but they are useful only in certain scenarios: when the attacker has installed sniffers; when the sniffer is operating on the right network connections or the attacker has disabled the switched segments; or when the attacker is looking for POP3 or HTTP traffic. In short, they rely on a number of contingencies.
HoneyPoint ports and services
Installation of the console or an HPoint requires executing a very simple and small install program, plus placement of the licensing file. Additional configuration options can be set through a GUI or by editing configuration text files.
When configuring HPoints, you have nine different listener types to choose from: TCPBasic Service, TCPListener, TCP3lvl, SMTP, Web, UDP, POP3, TCPRandom, and PortMiner. TCPBasicService will collect information, display a banner, and send a basic text response. TCPListener simply collects connection information from attackers and probes and does not respond.
| Test Center Scorecard | |||||
|---|---|---|---|---|---|
| 35% | 25% | 20% | 20% | ||
| HoneyPoint Security Server 3.00 | 7 | 8 | 7 | 7 |
7.3 Good |