If I setup a linux honeypot in VMware, and after it has been hacked take a snapshot, would there be a way to sanitize IPs in memory or the file system so I could redistribute it?
Would I even have to sanitize it? I forget which worm, but there was a popular one that setup a backdoor and there was a little controversy of people not sanitizing the web server logs when posting them on the internet which could let other people take advantage of the backdoor.
Anyone using your honeypot will need to run NAT to reconnect it to Internet, if they wanted to do so. If you're using a routeable IP address for your honeypot, it will not be routeable elsewhere.
I'd set the whole thing up behind a NAT using private address(es) for the NAT. Takes care of obscuring your address and makes it portable.
If you need a live address, get a throw away IP address, perhaps via DHCP from a coffee shop.
-David
Yeah I'd use NAT and port forwarding to forward vulnerable listening ports such as TCP 22, 445, etc so it would get attacked.
Anyone analyzing it probably wouldn't want it on the internet or even their local network, but they could change an IP address of a forensic workstation to be on the same network of the honeypot and transfer evidence to the forensic workstation to practice live response.
I still don't know how I could easily sanitize IPs. If I find CC numbers, SSN, phished passwords, or anything like that I wouldn't even bother distributing it.