CIC Honeynet - Dataset

Our DataSet

Our primary objectives are to gain insight into the security threats, vulnerabilities and behaviour of attackers, investigate tactics and practices of hacker community and share learned lessons with IT community and appropriate forums in academia and law enforcement in Canada. So, CIC decided to use cutting edge technology to collect dataset for honeypot. For more information or to request the captured data, please contact us at
In the internal network three PCs are running the CIC-Benign behavior generator (an in house developed agent), includes internet surfing, FTP uploading and downloading, and Emailing activities. Also, four servers include Webserver with WordPress, and MySQL, Email Server (Postfix), File Server (Openmediavault) and SSH Server have been installed for different common services. We will change our firewall structure to test different brands every month.
All traffic captured through the internal-TAP and external-TAP and analysis by CICFlowMeter which extracts more than 80 traffic features. The source code of CICFlowMeter is available on GitHub. We used Cowrie tools to mimic the SSH command inside the firewall and captures the user commands. Some easy password such as 1234, 123… are entered in cowrie database to make it vulnerable to attackers.
Also, we use two new tools as it is demonstrated in figure 2. Cisco ASA and Hontel are used for specific attacks. Cisco ASA is specifically simulating Cisco ASA, which is capable of detecting CVE-2018-0101, a DoS and remote code execution vulnerability. Hontel is a Honeypot for Telnet service. We put ActiveTrack to monitor user’s activity in the internal network in the hopes of grabing some screenshots from real attackers and the tools they are using in the system.
Click here to see online analysis of honeypot dataset with CICFlowMeter