Hello and welcome to the Tuesday, March 31st, 2006 edition of the Sands Internet Storm Center's Stormcast.

My name is Johannes Ulrich, recording today from Orlando, Florida.

And this episode is brought you by the Sands.edu graduate certificate program in Purple Team Operations.

Well, in diaries today, Jesse is asking an interesting question.

Well, first of all, when do Honeypot sessions disconnect?

First of all, a couple statistics here.

Most Honeypot sessions do last a very short time, a couple seconds.

That's no surprise because we have a lot of attackers that will just connect to a quick

you name or a quick check like that and then disconnect again.

Now, there are a couple of outliers.

There are a couple of sessions that last like several minutes.

Also, some sessions that do launch a large number of commands.

Now, quite often these sessions are basically just sort of using these commands to transfer

some kind of binary or such.

So they're not actually sort of distinct different commands, but really

just repeats of the same command and then just adding more data to a particular binary. But what I

find actually most interesting in Jesse's diary is what's the last command that an attacker

executes in the honeypot because that command sometimes gives

away why they're connected to a honeypot or that they're connected to a honeypot.

So Jesse looked at some of these commands and indeed some of these commands have distinct

different return values depending on whether or not they're running in a honeypot or not.

So, well, we'll probably have to fix up some of the responses here to keep them longer entertained in our honeypots.

...