Our public available reports are listed below:

• Status Report: October 2004 - March 2005
• Status Report: April 2005 - October 2005
• Status Report: October 2005 - March 2006
• Status Report: April 2006 - March 2007

We are currently working with the Honeynet described below. Part of its activity is detailed in several kind of logs:

• Top attackers (daily, weekly, monthly)
• Top scanned/attacked ports (daily, weekly, monthly)
• Top snort alerts (daily, weekly, monthly)
• TCP/UDP/ICMP distribution (daily, weekly, monthly)
• Packet statistics (daily, weekly, monthly)

The following diagram illustrates the overall architecture of a Virtual GenII Honeynet. The most common tools used here are Iptables, Snort, and Swatch for Data Control, Data Dapture and Alerting funtions.

The Honeywall is configured to block any outgoing connection to the Production network from the Honeynet (see our modifications of the honeywall.conf and rc.firewall files in the Tools Section). In a near future, this feature will be implemented in the Honeywall CDROM and called whitelisting/blacklisting.

As the whole Virtual Honeynet is installed in only one physical machine, it can be entirely managed remotely accesing the Host OS. This makes easier its administration and support, without needing the physical presence of an operator. We have learned how to deploy this kind of Honeynets, solving several problems related with VMware and the Honeywall, and taking advantage of the easier management of the honeypots.