PANDAcap SSH Honeypot Dataset

This is a dataset of 63 PANDA traces, collected using the PANDAcap framework. The dataset aims to offer a starting point for the analysis of ssh brute force attacks. The traces were collected through the course of approximately 3 days from 21 to 23 February 2020. A VM was configured using PANDAcap so that it accepts all passwords for user root. When an ssh session starts for the user, PANDA is signaled by the recctrl plugin to start recording for 30'.

You can read more details about the experimental setup and an overview of the dataset EuroSec 2020 publication:

• Manolis Stamatogiannakis, Herbert Bos, and Paul Groth. PANDAcap: A Framework for Streamlining Collection of Full-System Traces. In Proceedings of the 13th European Workshop on Systems Security, EuroSec '20, Heraklion, Greece, April 2020. doi: 10.1145/3380786.3391396, preprint: vusec.net

The dataset is split in 3 zip files/directories:

• rr: Contains the 63 PANDA traces of the dataset. The traces are in the upcoming RRArchive format. Note that PANDA support for the format is still wip at the time of writing (April 2020). If you need to downgrade to the traditional PANDA trace format, you can use the snippet in foo.
• qcow: Contains the QCOW base image (ubuntu16-planb.qcow2) used to create the dataset, as well as the disk deltas for the 63 traces. These can be mounted to inspect the contents of the filesystem before and after each session. and disk deltas for the 63 traces. Quick instructions on how to mount and inspect a QCOW image can be found below.
• pcap: Contains the pcap network traces for the sessions in the PANDA traces. These have been extracted using the PANDA network plugin. We decided to also include them in the dataset as standalone files for convenience.

Additionally, we provide the PANDA linux kernel profile ubuntu16-planb-kernelinfo.conf, which can be used to analyze the traces using the PANDA osi_linux plugin.

Additional information:

• To convert RRArchive traces to the traditional PANDA format, run the following snippet inside the rr directory:

  for f in *.tar.gz; do
      tar -zxvf "$f" --exclude=PANDArr --xform='s%/%-%' --xform='s%-metadata%%'
      rm -f "$f"
  done

• If you wish to reuse the VM image in your project, it is available as a standalone download through academictorrents.com, along with more detailed information on its contents.
• If you wish to download individual samples rather than the whole dataset, you can use the dataset torrent file available through academictorrents.com. Unlike this Zenodo deposit, the files in the torrent have not been zipped.
• A better formatted (and possibly more up-to-date) version of this information can be found here.