INetSim

No Change
assess
First Added:October 1, 2024 Updated: July 7, 2026

INetSim simulates DNS, HTTP, SMTP, and other internet services in an isolated lab so samples can run without reaching the real internet. We assess it for malware analysis and blue-team lab work.

Blurb

INetSim is a software suite for simulating common internet services in a lab environment, e.g. for analyzing the network behaviour of unknown malware samples.

Summary

What it is: A GPL Perl suite that binds fake services, logs requests and replies, and produces session reports. One process replaces a patchwork of Apache, Postfix, dnsmasq, and custom scripts with unified logging.

When to use:

SituationNotes
Malware dynamic analysisObserve DNS, download, SMTP, and C2 callback attempts safely
Offline or air-gapped lab VLANGive samples plausible “internet” without egress
Blue-team trainingShow how droppers beacon and exfiltrate in a controlled net
Gateway VM in analysis topologyPair with a sample host whose DNS resolves to the INetSim IP

When to skip:

  • Production service simulation or integration testing (use real stubs or Docker compose instead)
  • Cloud-native security pipelines that already include a commercial sandbox
  • Greenfield labs that need active maintenance and modern TLS interception (evaluate newer stacks first)
  • Teams with no malware analysis mandate

Trade-offs: Last upstream release is 1.3.2 (May 2020). Still packaged in Debian and widely cited in lab guides. Perl dependency tree is dated but stable. TLS support exists for several modules; deep HTTPS inspection often needs a separate proxy in front.

Details

Simulated Services

ServiceRole in malware labs
DNSFake forward and reverse lookups; static and default answers
HTTP / HTTPSServe canned pages or capture download requests
SMTP / POP3Log mail exfiltration and spam-bot behavior
FTP / TFTPFile pull and drop patterns
NTP / Time / DaytimeTrigger time-based malware logic
IRC, Finger, Ident, SyslogLegacy bot and beacon protocols
DummyLog traffic to odd ports when paired with redirection

See the features page for the full module list.

Notable Features

FeatureUse
FaketimeReturn configured timestamps so time-bomb samples activate on demand
Connection redirectionIP and port rules (Linux netfilter queue) to steer traffic between modules or external sinks
Session loggingPer-connection request and reply logs plus end-of-session summary report
NAT-style routingMake redirected traffic look like varied upstream hops (TTL tuning)

Typical Lab Layout

  1. Isolate a sample VM on a lab VLAN with no default route to the public internet.
  2. Run INetSim on a gateway host (Debian package or tarball install).
  3. Point sample DNS at the INetSim IP so common hostnames resolve locally.
  4. Execute the sample; collect INetSim logs and PCAP from the gateway.
  5. Tear down the VLAN or revert snapshots between runs.

Run the daemon as an unprivileged dedicated user after install. Do not run the service as root.

Limitations

  • Stale upstream: No release since 2020; verify Perl modules and OS packages still install on your base image.
  • Scope: Simulates protocols; it does not execute samples or replace a full sandbox VM.
  • HTTPS depth: May need an external TLS proxy for realistic cert behavior on modern malware.
  • Platform: Connection redirection requires Linux netfilter queue support.

Related Garden Links

  • DevSecOps: broader secure SDLC context; INetSim is analyst-lab tooling, not CI
  • Shift Left: complementary axis (pre-merge scanning vs runtime sample behavior)
  • Docker: optional packaging for lab hosts; INetSim itself is traditionally systemd on a gateway VM