HoneyC FAQ

Under what license is HoneyC written and distributed?

The GNU General Public License.

How do client honeypots differ from traditional honeypots?

Traditional honeypots passively wait to be probed, attacked, and compromised. These honeypots allow to capture active attacks, such as worms. Client honeypots turn around this situation. Instead of passively awaiting to be attacked, client honeypots actively crawl the web to search for servers that exploit the client as part of the server response.

What other open-source client honeypots exist?

Honeyclient at :  http://www.honeyclient.org/trac and Capture at :  https://projects.honeynet.org/capture-hpc

How does HoneyC differ from HoneyClient or Capture?

HoneyClient and Capture crawl the web with a real browser (Internet Explorer) and performs the analysis for exploit based on the state of the OS. As such, they are classified as a high interaction client honeypot. HoneyC, on the other hand, uses emulated clients (e.g. wget to emulate Internet Explorer) and uses an analysis engine that might make use of an algorithm other than OS state inspection (e.g. signature matching). As such, HoneyC is classified as a low interaction client honeypot.

What is the Visitor component?

The Visitor is the component responsible to interact with the server. The visitor usually makes a request to the server, consumes and processes the response. With version 1.0.0, HoneyC contains a web browser visitor component that allows to visits web servers.

What is the Queuer component?

The Queuer is the component responsible to create a queue of servers for the visitor to interact with. The queuer can employ several algorithm to create the queue of servers, such as crawling, scanning, utilizing search engines, etc. With version 1.0.0, HoneyC contains a Yahoo search queuer that creates a list of servers by querying the Yahoo Search API. A simple list queuer was added in version 1.1.2, that allows to statically set a list of server request to be put into the queue.

What is the Analysis Engine?

The Analysis Engine is the component responsible to evaluate whether security policy have been violated after the Visitor interacted with the server. This can be done by inspecting the state of the environment, analyze the response based on signatures or heuristics, etc. With version 1.0.0, HoneyC contains a simple analysis engine that generates snort fast alerts based on snort signature matching against web server responses.

When was the HoneyC project incepted?

July 2006