honeytrap / News: Recent posts

Honeytrap 1.0.0 comes with a totally revised configuration concept which makes module handling much more flexible. The system was also redesigned to put more tasks into modules. Analysis plugins can now create "virtual attacks" which can be further processed with other plugins. This release also introduces 3 new
plugins:

o htm_httpDownload invokes an external program to retrieve files via HTTP
o htm_ClamAV scans downloaded binaries using the ClamAV anti virus engine
o htm_SaveFile stores attack information in directories on a harddrive

Honeytrap 0.7.0 introduces priorities for plugins, a nfnetlink_queue-based
network stream monitor and sha512 hashing support. Other changes include
lots of fixes and performance improvements. The compile process should be
more stable now.

Honeytrap 0.6.4 includes lots of fixes and
improvements. New features are UDP support and a
module for locality sensitive hashing that can be
used to recognize an attack as new.

This honeytrap version just adds a new feature to the
htm_ftpDownload plugin: an IP address or hostname can be
configured that is used to bind a socket for FTP data
connections. This makes it possible to use the module even
behind NAT if the requested ports are forwarded to honeytrap.
Small modifications include a non-zero backlog queue for
dynamic listeners to catch even more connections and the
determination of operation modes already within the network
stream monitors.

This release of honeytrap version 0.6.3 basically follows the
"release early, release often" philosopy. It mainly contains
improvements and bug fixes. There is also a new plugin
available that recognizes and decodes some base64 encoded
exploits. Attacks are only processed up to a configurable byte
limit now to prevent a denial-of-service due to memory
exhaustion. Mirror connections are established using
non-blocking techniques with a smaller timeout to avoid
simultane connection timeouts which led to failed exploit
attempts in older versions.

Honeytrap version 0.6.2 comes with lots of new features. A new,
libipq-based connection monitor as alternative to the pcap
sniffer was added. Using the new 'proxy' mode, connections
can not only be mirrored back to the initiator, but proxied to
other systems and ports. The appropriate connection handling
mode can optionally be configured idividually for every TCP
port. Thus, honeytrap can now be set up as a meta-honeypot,
proxying connections to other honeypots or real services or
acting on them with own routines. Some bugs were fixed. Recent
*BSD platforms are supported now.

honeytrap 0.6.1 was just released. The plugin interface for module loading at runtime has grown to be usable. Dumping of attack strings and the ftp and tftp downloaders are implemented as modules now. Program configuration was reviewed and can be reprocessed by sending a SIGHUP. A few bugs are fixed and some cosmetical changes were made.