Honeypots 101

The world of honeypots is pretty big. You’d think there’d maybe just be one or two go-to implementations but that’s just not the case. There are hundreds of honeypots for almost everything imaginable. Some require a lot of continual tweaking and monitoring while others are pretty much set-and-forget. There are ones that take the perspective of the server and others that look at it from the a client side. Some focus on more at the ports and protocols level while others dig deep into the innards of applications. There are lightweight ones you can run on an old laptop and “heavy” ones that require their own dedicated server with plenty of processing power.

(Note: As part of a campaign to bring forward some of our older posts that we feel still benefit the community, we’ve added this article to our Best Of category that will periodically get tweeted out. Please mention it to me on Twitter or contact us if there are any other posts you feel we should include in this category. This post was previously categorized under Infosec Blogs/Podcasts. [email protected]grecs)

As you can tell the world of honeypots can be quite overbearing if you’re just trying to figure out where to start and that’s where this few month old report titled “Proactive detection of security incidents II – Honeypots” by the European Network and Information Security Agency (ENISA) comes into play. Personally, I’ve never had the opportunity to setup and run a honeypot before but with the release of this nice report, it’ll definitely give me a better starting point when I do. Here is some key information from this report … with just the facts.

As you can see from the reprinted tables below, ENISA evaluated around 30 honeypots. They provide a nice overview of all the honeypots they evaluated as well as a ratings for various criteria.

(click to enlarge) Page 11 of the report contained the first half of the honeypots ENISA evaluated.

(click to enlarge) Page 12 listed the remaining honeypots and the legend.

In the end for their specific needs of finding the best honeypots for CERTS, they recommended the following groupings.

The Quick Win

ENISA recommended the following honeypots to be used immediately for most CERTs. The listing mainly consist of low interaction server-side honeypots.

  • Dionaea (follow-on to Nepenthes; most highly recommended)
  • Glastopf (web attacks)
  • Kippo (SSH attacks)
  • Honeyd (good all-around solution but limited development activity)

With Additional Effort

For those CERTS with additional resources, they recommended the following set of client-side honeypots for detecting malicious websites.

  • Thug (low interaction; good for verifying suspicious links)
  • Capture-HPC NG (high interaction; systematically check suspicious links & monitor a set of protected sites)

For the Researchers

  • Argos (high-interaction server honeypot)
  • Cuckoo Sandbox (client honeypot)


  • SurfIDS (good for deploying a network of honeypots functioning as sensors)

Obviously, for a more in-depth understanding of all the honeypots they evaluated and a better comprehension of their selections, please read the report for yourself. Depending on your requirements the best honeypot for you might significantly differ from the ones they selected.


What are your honeypots of choice? Let us know in the comments below. Today’s post pic is from Drupal.org. See ya!

3 comments for “Honeypots 101

  1. March 13, 2013 at 6:02 pm

    #NOVABLOGGER: Honeypots 101 http://t.co/iT6b9HEndN http://t.co/4cWAQA6J22

  2. March 13, 2013 at 10:50 pm

    Honeypots 101 https://t.co/nkSdr13kro

  3. January 31, 2015 at 2:06 am

    Best Of: Honeypots 101 http://t.co/HZL8GDywoA

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.