Hornet 7: Network Dataset of Geographically Placed Honeypots
Description
Hornet 7 is a dataset of seven days of network traffic attacks captured in cloud servers used as honeypots to help understand how geography may impact the inflow of network attacks. The honeypots were placed in eight different geographical locations: Amsterdam, London, Frankfurt, San Francisco, New York, Singapore, Toronto, Bangalore. The data was captured in April 2021. The eight cloud servers were created and configured simultaneously following identical instructions. The network capture was performed using the Argus network monitoring tool in each cloud server. The cloud servers had only one service running (SSH on a non-standard port) and was fully dedicated to be used as a honeypot. No honeypot software was used in this dataset. The dataset consists of eight scenarios, one for each geographically located cloud server. Each scenario contains bidirectional NetFlow files in the following format: - hornet7-biargus.tar.gz: all scenarios with bidirectional NetFlow files in Argus binary format; - hornet7-netflow-v5.tar.gz: all scenarios with bidirectional NetFlow v5 files in CSV format; - hornet7-netflow-extended.tar.gz: all scenarios with bidirectional NetFlows files in CSV format containing all features provided by Argus. - hornet7-full.tar.gz: download all the data (biargus, netflow v5 and extended netflows)
Files
Steps to reproduce
This dataset used cloud server instances from Digital Ocean. For this dataset all cloud servers have the same technical configurations: a) Operating System: Ubuntu 20.04LTS, b) Instance Capacity: 1GB / 1 Intel CPU, c) Instance Storage: 25 GB NVMe SSDs, d) Instance Transfer: 1000 GB transfer. Once the cloud instances were created the servers were configured simultaneously using the parallel-ssh and parallel-scp tools: 1. Update the software repository: apt update 2. Install Argus: apt install -yq argus-client argus-server 3. Upload common SSH configuration with SSH on a non-standard port to each server /etc/ssh/sshd_config 4. Restart SSH servers: /etc/init.d/ssh restart 5. Upload common Argus configuration to each server at /etc/argus.conf 6. Start Argus server: argus -F /etc/argus.conf -i eth0 7. Create a folder to store the NetFlow files: mkdir /root/dataset 8. Start rasplit to store the network data received by Argus: rasplit -S 127.0.0.1:900 -M time 1h -w /root/dataset/%Y/%m/%d/do-sensor.%H.%M.%S.biargus To read the binary files generated by Argus use the tool `ra`: `ra -F ra.conf -n -Z b -r 2021-04-23_honeypot-cloud-digitalocean-geo-1.biargus - "port 22"` SSH Configuration: `AcceptEnv LANG LC_*` `ChallengeResponseAuthentication no` `Include /etc/ssh/sshd_config.d/*.conf` `PasswordAuthentication no` `PermitRootLogin yes` `Port 902` `PrintMotd no` `Subsystem sftp /usr/lib/openssh/sftp-server` `UsePAM yes` `X11Forwarding yes` Argus Configuration: `ARGUS_FLOW_TYPE="Bidirectional"` `ARGUS_FLOW_KEY="CLASSIC_5_TUPLE"` `ARGUS_ACCESS_PORT=900` `ARGUS_INTERFACE=eth0` `ARGUS_FLOW_STATUS_INTERVAL=3600` `ARGUS_MAR_STATUS_INTERVAL=60` `ARGUS_GENERATE_RESPONSE_TIME_DATA=yes` `ARGUS_GENERATE_PACKET_SIZE=yes` `ARGUS_GENERATE_JITTER_DATA=yes` `ARGUS_GENERATE_MAC_DATA=yes` `ARGUS_GENERATE_APPBYTE_METRIC=yes` `ARGUS_GENERATE_TCP_PERF_METRIC=yes` `ARGUS_GENERATE_BIDIRECTIONAL_TIMESTAMPS=yes` `ARGUS_CAPTURE_DATA_LEN=480` `ARGUS_BIND_IP="::1,127.0.0.1"` Ra configuration: `RA_PRINT_LABELS=0` `RA_FIELD_DELIMITER=','` `RA_USEC_PRECISION=6` `RA_PRINT_NAMES=0` `RA_TIME_FORMAT="%Y/%m/%d %T.%f"` `RA_FIELD_SPECIFIER= stime dur proto:10 saddr:27 sport dir daddr:27 dport state stos dtos pkts bytes sbytes spkts`