- About us
- Code of Conduct
- Google SoC
- Recent posts
- Security Workshops
Swedish Chapter – Chapter Status Report For 2013
During 2013, which was our first year as a chapter focus has been on Glastopf, a “web” honeypot.
Currently we are hosting 7 of them ourselves and have another 2 being hosted by people interested in learning more about honeypots. All of them deployed on Swedish ISPs.
All our Glastopf installations have submitted their data to hpfriends from the start.
We are also using and trying out a few other types of honeypots such as Dionaea, Cuckoo, Thug and Kippo. Our goal is to have some of these honeypots installed into “production” during 2014.
Our primary goal for starting the Swedish chapter was to provide local data to interested parties in Sweden, but also contribute to the project at large with our data/findings.
RESEARCH AND DEVELOPMENT:
As 2013 was our first year as a chapter, we decided to focus on getting a base deployment up and running. That being said we have done some minor contribution to the Glastopf honeypot (https://github.com/glastopf/glastopf/graphs/contributors (@nixcon och @nsmfoo). We have had some excellent support from Lukas Rist and Johnny Vestergaard during our work to familiarize ourselves with Glastopf and help with any issues that we came across doing so.
We also began the work on OpenHoney, an OpenBSD based distribution with Glastopf. The team will put more effort in OH during 2014. With the aim of creating a small and easy to use installation for those interested in running their own honeypot. (http://www.openhoney.org/)
PAPERS, PRESENTATIONS AND COMMUNITY ENGAGEMENTS:
Our engagements during the year, besides our own internal efforts was to support individuals contacting us with request with help on how-to setup and configure their honeypots (various sorts), we think that this could be developed further and we are looking into various ways of supporting persons interested in honeypots. Hopefully this will also work as a recruitment base for future members.
As our research was very limited last year so was the results. One of the main reasons for that is described below in the goals section.
Our main goal for 2013 was as described above, to gain visibility into attacks occurring both locally in Sweden but also abroad. One step to achieve this was to install a base of honeypots that would collect this information. Despise some lack of hardware we managed to get a fair amount of installations and lots of insight while doing this.
The other goal was to make sense of the collected data, in this effort we did not fulfil our goals, as our initial solution did not meet our needs. But with that being said this was also part of our learning process and we aim to meet the goal during next year. We did one report release (as a PoC, very limited) last year (http://honeynetproject.se/research/)
During 2014, we aim to continue to grow in the amount of installations; we have had some hardware donations from a generous member, which we will put to use. Also we are having discussions with some supporters for more installations as well.
We will also continue our effort in collecting and analysing collected data. This effort is also make possible thanks to donated hardware.
With that in place we hope to be able to continue the use of other types of honeypots and implement some of our other ideas.
If possible we will also try to make ourselves available to make some presentations, an effort that will be made possible if we have something to show (like the collected data)
A few days ago I was contacted by our CPRO, Leon van der Eijk, and asked to write a blog post about my own project called Bifrozt; something which I was more than happy to do. :) This post will explain what Bifrozt is, how this got started, the overall status of the project and what will happen further down the road.
What is Bifrozt?
During the month of May the following information was obtained from Glastopf installations worldwide
Number of alert for the period: 1859863
Filenames (RFI) - 10 most popular during the period:
During the month of April the following information was obtained from Glastopf installations worldwide
Number of alert for the period: 1325919
Filenames (RFI) - 10 most common during the period: