Honeynet Project | Research | Canadian Institute for Cybersecurity | UNB

Global Site Navigation (use tab and down arrow)

Canadian Institute for Cybersecurity

The Canadian Honeynet Chapter

The first honeypot studies were released by Clifford Stoll in 1990, and in April 2008 the Canadian Honeynet chapter was founded at the University of New Brunswick.

In computer terminology, a honeypot is a trap set to detect, deflect or in some manner counteract attempts at unauthorized use of information systems. Generally, honeypots essentially turn on the tables for hackers and computer security experts and it consists of a computer, data or a network site that appears to be part of a network but which is actually isolated, and which seems to contain information or a resource that would be of value to attackers. There are some benefits of having honeypot:

  • Observe hackers in action and learn about their behaviour
  • Gather intelligence on attack vectors, malware, and exploits. Use that intel to train your IT staff
  • Create profiles of hackers that are trying to gain access to your systems
  • Improve your security posture
  • Waste hackers’ time and resources
  • Reduced false positive
  • Cost-effective

Our primary objectives are to gain insight into the security threats, vulnerabilities and behaviour of attackers, investigate tactics and practices of hacker community and share learned lessons with IT community and appropriate forums in academia and law enforcement in Canada. So, CIC decided to use cutting edge technology to collect dataset for honeypot. For more information or to download the captured data, see HoneynetProject.com.

Report 1: 16-01-2018 to 23-01-2018 (FW: Untangle, SSH Honeypot: Kippo, Analysis Tools: Security Onion)

Report 2: 24-01-2018 to 31-01-2018 (FW: Untangle, SSH Honeypot: Kippo, Analysis Tools: Security Onion)

Report 3: 01-02-2018 to 08-02-2018 (FW: Untangle, SSH Honeypot: Kippo, Analysis Tools: Security Onion, Website: Wordpress)

Report 4: 08-02-2018 to 16-02-2018 (FW: Untangle, Honeypot: Kippo and T-POT, Analysis Tools: Security Onion, Website: Wordpress)

Report 5: 17-02-2018 to 24-02-2018 (FW: Untangle, Honeypot: Kippo and T-POT, Analysis Tools: Security Onion, Website: Wordpress) + (comparing Inside and outside sensors)

Report 6: 24-02-2018 to 09-03-2018 (FW: Pfsense, Honeypot: Kippo and T-POT, Analysis Tools: Security Onion, Website: Wordpress) + (comparing Inside and outside sensors)

Report 7: 10-03-2018 to 23-03-2018 (FW: Pfsense, Honeypot: Kippo and T-POT, Analysis Tools: Security Onion, Website: Wordpress) + (comparing Inside and outside sensors)

Report 8: 24-03-2018 to 06-04-2018 (FW: IPCop, Honeypot: Kippo and T-POT, Analysis Tools: Security Onion, Website: Wordpress)+ (comparing Inside and outside sensors)

Report 9: 06-04-2018 to 20-04-2018 (FW: IPCop, Honeypot: Kippo and T-POT, KFSensor Analysis Tools: Security Onion, Website: Wordpress)+ (comparing Inside and outside sensors)  -> DOS Attack, CVE-2017-7269

Report 10: 20-04-2018 to 04-05-2018 (FW: IPFire, Honeypot: Kippo and T-POT,  Amun- HoneyWRT- Analysis Tools: Security Onion, Website: Wordpress)+ (comparing Inside and outside sensors)  -> 11K attacks , CVE-2017-7269, CVE-2017-0143

Report 11: 04-05-2018 to 18-05-2018 (FW: shorewall, Honeypot: Cowrie and T-POT,  Cisco ASA, Hontel- Analysis Tools: Security Onion, Website: Wordpress)+ (comparing Inside and outside sensors)  -> CVE-2017-0143,664,589 logs, 48k attacks, Screenshot of the real attacker's behavior supported by ActivTrak

Report 12: 18-05-2018 to 01-06-2018 (FW: shorewall, Honeypot: Cowrie and T-POT,  Cisco ASA, Hontel, StrutsHoneypot, CIC Threat Hunting - Analysis Tools: Security Onion, Website: Wordpress)+ (comparing Inside and outside sensors)  -> CVE-2017-0143,626,661 logs, 45k attacks, Screenshot of the real attacker's behaviour supported by ActivTrak

Report 13: 01-06-2018 to 15-06-2018 (FW: Untangle, Honeypot: Cowrie and T-POT,  Cisco ASA, Hontel, StrutsHoneypot, CIC Threat Hunting - Analysis Tools: Security Onion, Website: Wordpress)+ (comparing Inside and outside sensors)  -> CVE-2017-0143,649,664 logs, 87k attacks, Screenshot of the real attacker's behaviour supported by ActivTrak

Reports 14: 15-06-2018 to 29-06-2018 (FW: Untangle, Honeypot: Cowrie and T-POT,  Cisco ASA, Hontel, StrutsHoneypot, CIC Threat Hunting - Analysis Tools: Security Onion, Website: Wordpress)+ (comparing Inside and outside sensors)  -> CVE-2017-0143, 65k logs, 100k attacks, Screenshot of the real attacker's behaviour supported by ActivTrak

Report 15: 29-06-2018 to 13-07-2018 (FW: Untangle, Honeypot: Cowrie and T-POT,  Cisco ASA, Hontel, StrutsHoneypot, CIC Threat Hunting - Analysis Tools: Security Onion, Website: Wordpress)+ (comparing Inside and outside sensors)  -> CVE-2017-0143, 70k logs, 123k attacks, Screenshot of the real attacker's behaviour supported by ActivTrak

Report 16: 13-07-2018 to 27-07-2018 (FW: Untangle, Honeypot: Cowrie and T-POT,  Cisco ASA, Hontel, StrutsHoneypot, CIC Threat Hunting - Analysis Tools: Security Onion, Website: Wordpress)+ (comparing Inside and outside sensors)  -> CVE-2017-0143, 70k logs, 117k attacks, Screenshot of the real attacker's behaviour supported by ActivTrak

Report 17: 10-08-2018 to 24-08-2018 (FW: Untangle Analyser: Security Onion, Cowrie and T-POT, Cisco ASA, Hontel, StrutsHoneypot, phpMyAdmin, CIC Threat Hunting, Website: WordPress) + (comparing Inside and outside sensors) -> CVE-2017-0143, 60k logs, 81k attacks, Screenshot of the real attacker's behaviour supported by ActivTrak

Report 18: 24-08-2018 to 7-09-2018 (FW: Untangle; Honeypot: Cowrie and T-POT, Cisco ASA, Hontel, StrutsHoneypot, phpMyAdmin; Analyser: Security Onion, CIC Threat Hunting; Website: WordPress) + (comparing Inside and outside sensors) -> CVE-2017-0143, 76k attacks, Screenshot of the real attacker's behaviour supported by ActivTrak, Online analysed data by CICFlowmeter

Report 19: 07-09-2018 to 21-09-2018 (FW: Untangle, Honeypot: Cowrie and T-POT, Cisco ASA, Hontel, StrutsHoneypot, CIC Threat Hunting - Analysis Tools: Security Onion, Website: Wordpress)+ (comparing Inside and outside sensors)  -> CVE-2017-0143, 157k attacks, Screenshot of the real attacker's behaviour supported by ActivTrak, Online analysed data by CICFlowmeter

Report 20: 21-09-2018 to 05-10-2018 (FW: Untangle, Honeypot: Cowrie and T-POT, Cisco ASA, Hontel, StrutsHoneypot, CIC Threat Hunting - Analysis Tools: Security Onion, Website: Wordpress)+ (comparing Inside and outside sensors)  -> CVE-2017-0143, 45K attacks, Screenshot of the real attacker's behaviour supported by ActivTrak, Online analysed data by CICFlowmeter

Report 21: 05-10-2018 to 19-10-2018 (FW: Untangle, Honeypot: Cowrie and T-POT, Cisco ASA, Hontel, StrutsHoneypot, CIC Threat Hunting - Analysis Tools: Security Onion, Website: Wordpress)+ (comparing Inside and outside sensors)  -> CVE-2017-0143, 50K attacks, Screenshot of the real attacker's behaviour supported by ActivTrak, Online analysed data by CICFlowmeter

As of January 2019, all reports and captured data are publicly available at HoneynetProject.com.