06-01-2017 12:13 PM
We've set up DNS sinkhole and it works as expected. We're able to find out which IP addresses tried to access malious sites. However, we won't be able to see the URLs these IPs were trying to access. We're thinking of building a honeypot (or maybe something else) to accept access requests from these IPs and set the sinkhole IP addrss to this machine. That way we will be able to record the URLs these IPs try to access. Does anyone know what software we can use to acheive this goal? All we need is to finish three-way handshake and record the URL requested.
06-01-2017 12:21 PM
So you don't really need a 'honeypot' in the sense that you are thinking. Any type of Applicaiton Delivery Controller would do this for you, as it would generate an error in it's logs that you wouldn't have a rule allocated to tell it where to send that traffic. I would setup one of these types of devices and set that as your sinkhole. The logs would show the requested URL and indicate that it didn't know where to send it, but it would give you something to actually look at.
As far as an actual 'honeypot' for this type of thing I'm sure they are out there, but I can't seem to find any with a quick Google search easily.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
