So the last time I blogged about Honeynets we discussed adding realism. I ended up installing the latest test 1.1 version of Roo as a virtual machine and the results were positive. So far a lot of the easy annoying bugs that required enduser debugging and troubleshooting are now fixed (like updating the packages and kernel on the box). My next step will be adding the SCADA IDS Signatures and re-configuring the honeywall for a few different scenarios.

Earlier this week I came across a tool, psad , that provided very interesting output analysis (psad utilizes afterglow for visualization). The author took a couple of the Honeynet Challenges and graphed out a couple of the attacks.

It’s astonishing to see the visualization output from the Nachi worm and quickly points out which nodes are infected. It would interesting to see the visualization on how a potential polymorphic ICCP Worm worked it’s way through TOs and ISOs/RTOs.

Next time I will blog on an easier ways to distribute virtual honeynets by utilizing snapshots.