The project

The technical framework of Saher-HoneyNet is based on a collection of open source tools used for attack detection and data analysis with a very powerful graphical interface for data visualisation.

The following diagram illustrates the framework structure:

Information flow

The coordination process aims to share relevant information about attacks and sources of malicious traffic with all concerned parties. The exchange is done based on emails and phone communications especially while dealing with very serious cases or with privileged partners.

The tunCERT is developing a new application to ensure faster, more reliable and more secure way to exchange data base on web service technology.

The following diagram illustrates the communication links between involved parties.

Used technologies:

From the starting of the project, the team tried to be up-to-date in term of used technologies; they tested all detection and honyepotting tools and tried to choose the most reliable ones.
In the following table, we present the list of used tools in the current configuration then the list of tools used in older configurations.

Tools used in the current configuration


Current Distributed Intrusion Detection Systems (D-IDS) are most often based on a client-server approach where the client is called a sensor. These sensors often contain a honeypot and/or a passive analysis tool like snort.


The SMTP honeypot is a stand-alone honeypot, which was developed to analyze malicious e-mails as a way for spreading malware and use these data in Surfnetids system.


Kippo is a medium interaction SSH honeypot designed to log brute force attacks and, most importantly, the entire shell interaction performed by the attacker. Kippo is inspired, but not based on Kojoney.


Dionaea is meant to be a nepenthes successor, embedding python as scripting language, using libemu to detect shellcodes, supporting ipv6 and tls


Glastopf is a Honeypot which emulates thousands vulnerabilities to gather data from attacks targeting web applications. The principle behind it is very simple: Reply the correct response to the attacker exploiting the web application.

Honeynet Webviz

Creating a 3D Earth Visualization, that will show malware/attack analysis on a time line basis with heat map tiles and mesh structure.

Tools used in old Configurations


Honeywall is a proof of concept of network security hardware device capable of translate and forward packets. Designed for high availability, Honeywall is able to provide load balancing and anti flooding. Unlike a firewall, it does not block packets.


Honeyd is a small daemon that creates virtual hosts on a network. The hosts can be configured to run arbitrary services, and their personality can be adapted so that they appear to be running certain operating systems. Honeyd enables a single host to claim multiple addresses.


Honeytrap is a low-interaction honeypot daemon for observing attacks against network services. In contrast to other honeypots, which often focus on malware collection, honeytrap aims for catching the initial exploit – It collects and further processes attack traces.


Nepenthes is a versatile tool to collect malware. It acts passively by emulating known vulnerabilities and downloading malware trying to exploit these vulnerabilities.


An emulator for capturing zero-day attacks: Argos is a full and secure system emulator designed for use in honeypots. It is based on Qemu, an open source emulator that uses dynamic translation to achieve a fairly good emulation speed.


Kojoney is a low level interaction honeypot that emulates an SSH server. The daemon is written in Python using the Twisted Conch libraries.