honeytrap.mwcollect.org

trap attacks in your network

Information

Honeytrap Overview
Compiling Honeytrap
Honeytrap Manpage

Examples

Attacks / Stream Data

Treasure Chest

Xen Honeypot Sensors
Qemu Honeypot Sensors
PE Hunter


SourceForge.net Logo

svn.mwcollect.org

Software Development

Projects

nepenthes
honeytrap
HoneyBow

Code Repository

We will provide live commit logs here soon. Until then feel free to view the mwcollect.org repository with Trac.

PE Hunter

PE Hunter is a little snort plugin (aka dynamic preprocessor) for extracting Windows executables (files in PE format) from the network stream.

To do so, it first spots a PE header and then uses a simple heuristik to calculate the file length. Starting at the header offset in a stream, the resulting number of bytes is then dumped to a file.

This technique does not work for some specially crafted binaries, e.g., self-extracting archives or programs with additional data after the end of the last section since there is no way to passively identify such data in a stream. However, I found it to work for most malware out there. And that is what PE Hunter was actually written for - sitting in front of honeypots to grab malware from the wire.

Download

Interested? It's GPL and it's all free! Just get the source from here or check it out from our subversion repository: 

svn co https://svn.mwcollect.org/pehunter pehunter-svn

pehuntd

There is also a standalone daemon available which accepts input on a UNIX socket. A first version ports the functionality of the snort preprocessor. The package also contains a simple client for submitting files to pehuntd.

Contact

Problems? Suggestions? Drop me a mail.