Given the slightly disappointing experience with KFSensor, I decided to give HoneyPoint Personal Edition a shot. I tested the Windows build and had look on the linux build as well, nevertheless all screenshots and tests were run on the windows build.
Define the ports for the webserver and the static reply.
Define ports for 2 second tcp based service and the static reply.
Define open udp ports.
Setup the email alert functions.
This tab list the plugins loaded.
This is the ping example plugin.
The first line is the name of the plugin that is displayed in HPPE. This can be anything you wish, but must be unique. The second line is the command you wish to run (including path, if not in the standard path), the [attacker ip] is a variable that is replaced during execution. Keep in mind that the direct path for the command may be necessary. The third and fourth lines are the timeout and how many minutes must elapse before the plugin will be run for the same attacker IP address, respectively.
Other variables that can be used in Plugins are:
[attacker IP] [HoneyPoint IP] [HoneyPoint Port] [HoneyPoint time] [event data]
source: HPPE2UserGuide.pdf
The linux build shipped with a whois plugin instead of ping, which looked like this:
Whois Plugin whois [attacker ip] 6000 10
cat HoneyPointPE200Lnx/Plugins/Whois.hpp
Afterwards I had a look in the official plugin repository, empty.
Start the service by pushing the button.
HPPE offers 3 services, tcp/80 which would be http, tcp/23 which would be telnet and udp/161 which would be snmp.
telnet 192.168.53.229 Trying 192.168.53.229... Connected to 192.168.53.229. Escape character is '^]'. C:\Windows>Command not found. C:\Windows>echo foo Command not found. C:\Windows>^CConnection closed by foreign host.
The result when accessing HoneyPoint on port 23.
snmpwalk 192.168.53.229 snmpwalk: Timeout
firefox http://192.168.53.229
After rendering This site is under construction… firefox switched to this.
I had a look on the reply sent:
HTTP/1.1 200 OK Content-Type: text/html; charset=UTF-8 Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Date: Thu, 10 Jun 2012 10:10:15 PM Connection: keep-alive <HTML> <body> This site is under construction...<br> </body> </HTML>
Claiming http 1.1 with keep alive but without content-length does not work out, the default web reply is broken.
Every received chunk gets his own logfile in the main folder of the software.
This Personal Edition costs 24.29€, from what I understood the minimum spending on the enterprise solution HoneyPoint Security Server which includes a central console is $4995 on the starter kit for 10 sensors.
I got serious doubts this software would be worth installing even if it was for free, there is very little value in the data gathered, and given the logging of the Personal Edition the data is not really accessible anyway.
Providing an opportunity to respond to my criticism, I sent microsolved a mail with a link to the review, this is their response:
Thanks for the review of our product, HoneyPoint Personal Edition. We are sorry that it did not meet your specific needs. Since 2006, many people around the world have been using the tool as an effective personal detection tool and for gathering basic insights into threat postures of their environments. Since that time, we have received a high level of praise from users, both corporate and individuals, who have used HoneyPoint Personal Edition as a simple means of identifying compromised machines in incidents, studied what malware and attackers have been doing and found many creative uses for the product.
HPPE was designed to be an easy to use, easy to manage and easy to deploy tool for basic detections. It was not designed for an academic environment, for someone who wants to study the deep levels of compromise and the like that could be gathered using a full high interaction honeypot/honeynet. Instead, it is a cross platform tool with very basic emulations designed to give the user the source IP, target and basic insights in the tactics of attacks against them. The purpose of that specific data is to allow them to take actions to contain the attack, remove themselves as a target or respond appropriately. With those goals in mind, HPPE has been a very successful tool indeed. It is easy to use, flexible, extendable and gives the user visibility that they may not have had before. While it is not for everyone, enough folks use the product every day and the feedback has been good, so we continue to grow and develop it over time.
Thanks again for reviewing HoneyPoint Personal Edition. Our users appreciate its simplicity and approach and we are very proud of how many folks have been able to use it to help them with security problems and incidents. Your screenshots are numerous and the approach very detailed and we appreciate your time in compiling them.
Please feel free to post this and we look forward to your review of other security products in the future.
[…] 2010:11:26:honeypoint_personal_edition_review [carnivore news] […]