Virtual Honeypots and over one million other books are available for Amazon Kindle. Learn more
CDN$ 42.83
  • List Price: CDN$ 67.99
  • You Save: CDN$ 25.16 (37%)
Only 1 left in stock (more on the way).
Ships from and sold by
Gift-wrap available.
Add to Cart
Have one to sell?
Flip to back Flip to front
Listen Playing... Paused   You're listening to a sample of the Audible audio edition.
Learn more
See this image

Virtual Honeypots: From Botnet Tracking to Intrusion Detection Paperback – Jul 16 2007

Amazon Price New from Used from
Kindle Edition
"Please retry"
"Please retry"
CDN$ 42.83
CDN$ 39.00 CDN$ 23.50

Join Amazon Student in Canada

Customers Who Bought This Item Also Bought


Product Details

Customer Reviews

There are no customer reviews yet on
5 star
4 star
3 star
2 star
1 star

Most Helpful Customer Reviews on (beta) 13 reviews
9 of 9 people found the following review helpful
The best place to start. Sept. 2 2007
By samuel F. stover - Published on
Format: Paperback
Quick disclaimer: I know both authors. That said, I still have no problem pimping this book as "THE BEST PLACE TO START if you want to learn how to use honeypots." Best. Bar none. Par excellence - pick your cliche.

The fact is that these guys have pulled together an immense amount of experience into a book that will have you running your own honeypot in short order, and that's no small task. Setting up a honeypot/honeynet properly is *not* trivial. Tools like honeywall and argos are not for the faint of heart. But with VH, you'll have what you need to get started and most likely succeed.

Beyond the practical (i.e. step-by-step instructions on how to get things working), there is also plenty of theoretical. There truly is something for everyone in this book. Loads of info on low-interaction vs. high-interaction honeypots, plus legal and ethical points to consider for the budding honeypotter.

The proof is in the pudding for me - I now use argos to capture vulnerabilities in the wild, as well as sebek/honeywall/vmware to research worm propagation. I probably would have gotten there without this book, but certainly not as fast. Kudos to the authors - great book guys.

6 of 6 people found the following review helpful
Honeypots made easy Nov. 10 2007
By Chris Gates - Published on
Format: Paperback
Books that put institutional knowledge, or knowledge that people in the industry know but its not written down anywhere, are few and far between. This book succeeds in taking that institutional knowledge and putting it into a readable, functional, and well-organized format.

Before I get into the chapter play by play stuff, let me just say that Chapter 8, Client Honeypots, is worth the price of the book. Client-side attacks are were everything is moving to and the days of a remote OS 0day or quickly fading away. One of the hardest things to automate and teach is client-side attacks because it used to involve user interaction (someone actually clicking on the email, link, .exe), but with the client honeypots they discuss in the book you can automate clicking on emails, clicking on links, spidering websites, and running the executables you download from the sites. You can also monitor your honeypot for changes after running the executable, good stuff!

Most of the other reviewers said you can skip the introductory material, and you could, but its better than the usual "beginning of the book/background" material. The book starts with honeypot/honeynet introduction. Chapter 2 covers high interaction honeypots to include a good chunk of information on VMware and your other "virtual" options including User Mode Linux and Argos. Chapter 3 covers Low interaction honeypots like LaBrea, GHH, and PHP.HoP for your web based low interaction honeypots. Chapters 4 & 5 are a healthy dose of honeyd. Chapter 6 is collecting malware with Nepenthes and Honeytrap. Chapter 7 covers Hybrid systems. Chapter 8 is, as discussed, Client Honeypots. Chapter 9 is on detecting low and high interaction honeypots. Chapter 10 contains Case Studies, Chapter 11 is Tracking Botnets, and Chapter 12 closes out the book with analyzing malware with CWSandbox.

My only gripes about the book were that they failed to talk about persistent versus non-persistent modes in VMware and there as no discussion of identifying VMware and Sebek in Windows. Configuring your virtual machine how you like it, then setting it to non-persistent is a great way to let users or attackers do whatever they want to the OS. The changes survive an OS reboot but if you reboot the virtual machine it goes back to the original state, very handy. The other gripe was a shortage of material on detection of Sebek on Windows hosts, its covered in-depth for Linux though. Detecting VMware and some other honeypot type tools like Sebek in Windows is fairly easy. Simply querying for their respective registry keys usually does the job :-)

Overall, a good book. Its useful, up-to-date, and relevant to security today.
7 of 8 people found the following review helpful
A breakthough work Aug. 21 2007
By Stephen Northcutt - Published on
Format: Paperback
Simply put, this is the best security book I have read this year. A perfect blend of well researched information about honeypots as well as plenty of pragmatic how to do it. Well known respected authors that clearly know their stuff. A nice blend of network and system information to give the read the full picture. The reader will learn a lot of analysis and be exposed to a number of attack signatures. And the information is applicable. That was the huge eye opener for me! I thought honeypots were boutique at best, but the book shows clearly how to use them to augment your intrusion detection capability, to detect malware and to identify botnets. At the exact second the Storm botnet is raging, anti-malware products from Symantec, NAI, Trend Micro just are not getting the job done. A large organization with a low interaction honeypot like honeyd, collapsar or potemkin would be able to track what is happening in their network. In the same way, if you are running nepenthes or roleplayer you can identify (detect) the malware and understand how it is working.

Obviously the book cannot cover each tool in depth, Virtual Honeypots goes into detail for honeyd and nepenthes and serves as a manual to help you get started. This is thrilling reading to the very end, the final three chapters are case studies ( war stories ), tracking botnets and working with the CWSandbox. I absolutely recommend this book and expect that I will keep it near my workstation for the next few months. I read it the first time on airplanes, I live in Hawaii so each trip to the east coast is ten hours airplane time and it took about 20 hours for me to work through the book. I plan to read it at least one more time, but with a computer nearby to try to apply some of this. Hats off to the authors, Provos and Holz for sharing their knowledge with the community.
4 of 4 people found the following review helpful
Most comprehensive information about Honeypots. Aug. 27 2007
By Timo - Published on
Format: Paperback
This book provides the most complete overview of Honeypots. It includes very detailed instructions on how to set up and use tools, and gives many examples for analysis and deployments. I have personally heard about Honeypots a lot, but never set one up myself. This book provided an excellent tutorial to show me how to do it. For both experts and novices, this book is filled with useful information. A must-read for anyone interested in Honeypots & malware simulations in general.
2 of 2 people found the following review helpful
Excellent, modern book on digital defense Jan. 7 2008
By Richard Bejtlich - Published on
Format: Paperback
It's fairly difficult to find good books on digital defense. Breaking and entering seems to be more exciting than protecting victims. Thankfully, Niels Provos and Thorsten Holz show that defense can be interesting and innovative too. Their book Virtual Honeypots is your ticket for deploying defensive resources that will provide greater digital situational awareness.

A security technician with some degree of proficiency should be able to read Virtual Honeypots and then implement at least one of the solutions presented. This sounds like a fairly common event, but too often technical books do not provide the detail required to transform theory into practice. Virtual Honeypots offers installation and operational guidance for a variety of deception and analysis systems, primarily for server-oriented technologies. I especially gained a better understanding of Honeyd and Nepenthes, the two applications about which I cared the most.

While I liked the first 2/3 of the book, I have to say I really enjoyed the last four chapters. These covered Detecting Honeypots, Case Studies, Tracking Botnets, and Analyzing Malware with CWSandbox. Of these the final chapter was superb. Ch 12 has probably the clearest explanation of hooking I've read anywhere. I am not a rootkit writer or Windows kernel programmer, but the text was so well written I had zero problems following along.

I gave Virtual Honeypots five stars because it is so unique and well-written, but I do have a few minor issues to mention. First, I was somewhat disappointed by the honeyclients section (ch 8). I was not as confident that I could implement a honeyclient solution after reading the great material on server-oriented honeypots. Perhaps the second edition or a separate book will give greater attention to this area. Second, I found a few small technical items. On p 4, it isn't accurate to say "TCP...[gives] each packet a sequence number." Bytes of application data are numbered, not packets. On p 13 we are told to use a snaplen of 1500 bytes, but this will cut off the last 14 bytes of many Ethernet frames. Try it with ping -s 1472 while sniffing with Tcpdump. As you can see, these minor issues are easily fixed in a future printing and do not justify dropping a star.

If you are at all interested in potentially deceiving intruders, buy and read Virtual Honeypots. You'll learn about more than VMware (QEMU, UML, etc.) as well as numerous open source tools you can download and try for free. I look forward to reading more from these authors -- perhaps a book of true case studies?