In this chapter we presented several case studies. In the first part, we focused on nepenthes and how to use it to detect infected clients in a network. This is a very promising use case for honeypots. They are very good at detecting malbehaving machines — in particular since they do not generate false positives. We have introduced Blast-o-Mat and some other examples of how to integrate nepenthes in a given network. You can easily deploy a sensor with several IPs in your local network to obtain a burglar alarm that notifies you once it detects something suspicious. Moreover, we showed in a case study how you can learn more about search worms and how low-interaction honeypots can be used for studying a particular threat.
On the other hand, you can also use high-interaction honeypots to strengthen your network. Deploy several virtual, high-interaction honeypots in "interesting" areas of your network, and closely observe what is happening. If they are probed or even attacked, you again have an early warning sign of an ongoing attack. In the second part of this chapter we presented several case studies of high-interaction honeypots. We described several incidents and presented a detailed timeline together with information about the tools used by the attacker. Expect to also learn similar things when operating high-interaction honeypots! It is a fascinating tool and gives you the opportunity to get in-depth information about attacks.