Wiki Navigation

HOWTO set up HoneyBow Sensor using VMware

HoneyBow Sensor

Prerequisite

Hardware

At least one Ethernet card;
At least 512M main memory;
Enough hard disk free space for your honeypot.

Software

Linux with kernel version 2.6.9 or above;
Network block device module;
NTFS kernel module;
VMware for Linux. Workstation version 5.5 or above is recommended as it supports command line snapshot revert;
Microsoft Windows installation disk or image for your honeypot;
Roo installation disk or image, if you decide to deploy Roo on virtual machine.

Setting Up

Set up Linux OS

Set up your Linux host OS with XWindows configured (needed for VMware).

Set up VMware

Set up VMware with eth0 bridged. If Roo is going to be deployed on virtual machine, also configure a private network and eth1 (control channel for Roo) bridged. It is recommended that you purchase VMware Workstation 5.5 or later from VMware since it supports command line snapshot management which is very helpful for deploy a full automated HoneyBow virtual machine sensor. And if you don’t plan to spend much money on your sensor, VMware Server is also compatible with HoneyBow.

Set up Windows honeypot

Set up your Windows honeypot in VMware with NTFS file system. It is recommended that you disconnect your network from Internet (e.g. disable the Ethernet card in VM settings) before it is fully configured in order to prevent infection. Configure the honeypot as you like, e.g., set up IIS.

Set up MwWatcher

Download MwWatcher ISO image and configure it as the CD-ROM for your honeypot and install it. You can also download it inside the honeypot through a safe way but is not recommended. Since MwFetcher needs to fetch samples captured by MwWatcher, it is important to install it with default path (C:\tools\) or else you may need to change MwFetcher. Then, add MwWatcher to the startup group so it will still watch the honeypot in case the virtual machine reboots.

Take Snapshot

Enable the network (if you have disabled it in step 3), start MwWatcher. Now all the work in the honeypot has done, take a snapshot and power it off.

Set up MwFetcher

Download MwFetcher, extract and install it (see README or manual). Then generate the clean file list of your honeypot:

mwfetcher -i [-M] vmxfile

The –M option enables MD5 checksum but will take much longer time to generate the list.

Set up MwSubmitter

Download MwSubmitter, extract and install it (see README or manual). Ask the sample server for a submitting account (user name and correspond key-file). HoneyBow sensor is designed to collaborate with the widely deployed mwcollect Alliance’s Nepenthes sensor and uses G.O.T.E.K. protocol to submit captured samples. If you are already a member of mwcollect Alliance, ask the administrator for another submitting account or use the same account as Nepenthes if you like. If you are not, visit the alliance website and join now.

Set up Roo

In order to prevent honeypot from damaging other machine, deploy Roo is recommended. You can either install it on a virtual machine or a real box. After setting it up, you can now connect your honeypot to the network you want to monitor.

Automating

HoneyBow is a highly automated system that can wholly run by itself.

Configure MwFetcher

Add the your honeypot installation path to the MwFetcher’s config-file so it can scan it in batch mode. Read MWFETCHER’S MANUAL for more information.

Configure MwSubmitter

Add the submitting account info. and MwFetcher’s submitting directory (default will be /tmp/mwfetcher/<virtual machine name>/) to the MwSubmitter’s config-file so it can run in monitor mode. Read MWSUBMITTER’S MANUAL for more information.

Get a auto-recover Script

Now what you need is to write a auto-recover* shell script or you can download the one we use and modify it.

* Require VMware Workstation 5.5 or later. VMware Server seems be able to auto-revert too, yet not fully tested.

Get HoneyBow run

Run MwSubmitter in monitor mode:

mwsubmitter –m

Run your auto-recover script:

./<your script>