CIC Honeynet - Dataset

Our DataSet

CIC-Honeynet uses T-POT tool outside the firewall which is equipped with several tool s. T-Pot is based on well-established honeypot daemons which include IDS and other tools for attack submission.

T-Pot is the all in one, optionally distributed, multiarch (amd64, arm64) honeypot plattform, supporting 20+ honeypots and countless visualization options using the Elastic Stack, animated live attack maps and lots of security tools to further improve the deception experience.

T-Pot is based on the Debian 11 (Bullseye) Netinstaller and utilizes docker and docker-compose to reach its goal of running as many tools as possible simultaneously and thus utilizing the host's hardware to its maximum.

The idea behind T-Pot is to create a system, which defines the entire TCP network range as well as some important UDP services as a honeypot . It forwards all incoming attack traffic to the honeypot daemons best suited to respond and process it. T-Pot includes docker versions of the following honeypots:

• adbhoney,
• ciscoasa,
• citrixhoneypot,
• conpot,
• cowrie,
• ddospot,
• dicompot,
• dionaea,
• elasticpot,
• endlessh,
• glutton,
• heralding,
• hellpot,
• honeypots,
• honeytrap,
• ipphoney,
• log4pot,
• mailoney,
• medpot,
• redishoneypot,
• sentrypeer,
• snare,
• tanner

Figure  demonstrates the network structure of the CIC - Honeynet and associated security tools. There are two TAPs for capturing, network activities. Outside the firewall, there is T-POT which captures the users' activities through external-TAP. Behind the Untangle firewall in the internal network Security

Onion has been used to analyze the captured data through internal-TAP. It is a Linux distro for intrusion detection, network security monitoring, and log mana gement. It's based on Ubuntu and contains Snort, Suricata, Bro, OSSEC, Sguil, Squert, ELSA, Xplico, NetworkMiner, and other security tool s.

In the internal network three PCs are running the CIC-Benign behavior generator (an in house developed agent), which generates activity such as internet surfing, FTP uploading and downloading, and Emailing. Also, four servers include Webserver with WordPress, and MySQL, Email Server (Postfix), File Server (Openmediavault) and SSH Server have been installed for  different common services. We will change our firewall structure to test different brands every month.