A malicious attack is a TCP connection which has been classified as malicious by the honeypot. In this case we can say for certain that the connection (or attack) was malicious. Malicious traffic is for example traffic caused by virusses, hackers and bots.
The network ranges of an organisation can be set in the organisation admin page. These ranges are the IP ranges in CIDR notation separated by a ”;”. These network ranges are used in the check page and the mail reports for checking attacks sourced by the organisations own network ranges.
An organisation identifier is a string that identifies a sensor belonging to a certain organisation. Each organisation should at least have 1 identifier, but can have more. These identifiers come in 4 types:
Whois Netname - This is the string that appears in the netname section when the sensor IP is queried at a whois server.
Domain name - This is the domain name of the sensor. It can be retrieved by doing a reverse DNS lookup for the sensor IP.
SURFnet SOAP - This is a SURFnet specific method.
Random Identifier String - This is a random string that uniquely identifies an organisation. This string can be placed in a file on the sensor. See also RIS.
A Random Identifier String is a unique string that identifies an organisation. To make sure that a certain sensor will always be assigned to the correct organisation you can use this string. Copy and paste the string in a file called “identifier.ris” and put it on the USB stick in the /usbstick/scripts/ directory. This will make sure that the sensor is assigned to the correct organisation when the sensor is first started.
Note: This only works when the sensor hasn’t been started yet.
A possible malicious attack is a connection of which we don't know for certain if it was malicious. It could be anything from random network traffic, port scans to unknown virusses, 0-day exploits or hackers.
The sensor is a USB stick with a remastered Knoppix distribution on it. The sensor is used on a machine that can boot from USB. On boot the sensor will request certificates and will get a unique name (sensor##) from which point the sensor is visible via the webinterface. The sensor itself is only used to create a tunnel between the host machine and the tunnel server.
The local address is the IP address of the sensor itself. In most cases this is the same as the remote IP address. The exception to this rule are NAT'ed networks. In this case the local address is the NAT address and the remote IP is your network gateway address.
The remote address or remote IP is the IP address that's the end point of the tunnel on the sensor side. This is usually the IP address of the sensor itself or the IP address of your local network gateway.
This is the virtual interface that is created on the tunnel server which is in fact the end point of the tunnel. This device is created by OpenVPN and receives an IP address out of the range of the client network.