SharkFest Wireshark Developer and User Conference
Analyzing Honeypot Traffic
SharkFest is an annual event where experts from around the world converge to teach and collaborate on cybersecurity, networking, and all of the ways that packet captures can be used to improve analysis of complex problems.
Our own Tom Peterson was a featured instructor at SharkFest 2020. This is the second time he was invited to speak; you may have caught his talk in 2019 on How TCP reassembly can be used to hide attacks. This time he gave a seminar titled, “Analyzing Honeypot Traffic”. From the abstract:
Securing a network starts with configuring a minimal set of services and only accepting the traffic required for those services. A honeypot is configured to attract the opposite and can be used to detect and analyze potential threats.
In this session we will discuss the different types of honeypots and what each type is designed for. Next, we’ll look at how to deploy a TCP honeypot to accept all of the traffic sent to a server on the internet and how to analyze a capture file of this. We’ll examine how to use Wireshark for this as well as tools including Suricata and Zeek. What do you think will happen when we listen to all of the traffic being sent?
This seminar includes lessons we learned running honeypots of our own and analyzing network captures of the activity. It’s interesting and exciting stuff, and shows how packet captures combined with CloudShark tools like Threat Assessment Zeek logs can reveal all kinds of helpful details.
Tom was be featured alongside other experts including Sake Blok, Betty DuBois, Chris Greer, and Jasper Bongertz, who also presented and giving pre-conference classes on a number of topics. Tom’s seminar and the majority of the events at SharkFest are shown in the SharkFest Retrospective.