The Honeynet Project

In a previous blog, we showed off some heatmaps that were supposed to help answer the question "Where does SPAM come from?". The problem with these maps, is that they are the combination of months of data without any respect to time.

So I set out to show the same information in a video to help answer a broader question "When and Where does SPAM come from?". Each red flash represents a moment in time that a point on the earth sent us some spam.

Without further ado, here is a video of about a week's worth of SPAM on the planet Earth:

When zooming in on Europe, notice the 'Blue Banana', which is a discontinuous corridor of urbanisation in Western Europe is once again evident, as it was with the European heatmap. From North West England to Milan, 90 million people live in this corridor, and evidently a fair few of them have computers that send us SPAM. They call it a banana because of it's curvature but I've no idea why its blue.

We were hoping to see a 'follow the sun' aspect emerge, thinking that as people turn their computers off and go to bed, less spam will come from infected hosts in that timezone. This sounds reasonable, but it really only shows up to a fairly small degree in the video. It seems people don't turn infected hosts off at night. SPAM it seems, is 24x7.

We've also done the same technique for the location of network borne malware (worms) seen by our Australian SensorNET, in fact dataset with an IP and a timestamp - we can create a video of now. Feel free to contact us if you have an interesting dataset.
I used a product called 'logster' to do these videos, it is designed to read weblog files so that you can get an idea of who and when people visited your website. However you can use any dataset with an IP and timetamp, and parse it to make it look like an apache weblog file easily enough. This is what we (Thanks DavidZ) did with our nepenthes and SPAM data sets. Logster is another good analysis tool to have in the kit.

If you have a SPAM feed you would like to provide to the project, please email us at contact@honeynet.org.au

Hi Folks,

I worked on the Front-End to make my interface more user-friendly, I don't detail every modifications, we can split them in three:

• Profile Management
• Organisation Management
• Honeyclient Management

My code is under Honeynet Subversion so you can consult it if you're curious !
I also corrected a lot of bugs even if some of them are a bit persistent....

• GSoc Project #9 - Managing Honeypot Clients

Since my last update, I've separated the visualizations by IP address, along with adding a few cosmetic additions (lines to the next event in the height different experiment), although there's still a little bit of work to separate that visualization into different IPs.  I've also added camera controls, the basic WSAD at the moment, so that a user can scroll up, down, left, and right, depending on how many host machines there are, as well as how many events there are.  There was also some work on the backend as well, to make the files a little easier to read, as well as adding more commen