Honeypots: Re: learn about worm

["Roger A. Grimes" <roger () banneretcs com>]

Your choice of type of honeypot dictates the decision a bit.  Honeyd is a
low emulation, virtual honeypot, so you won't being running any monitoring
tools, beyond what you can configure in Honeyd with scripting and logging,
in the virtual session.  You should also run a network protocol analyzer,
like Ethereal (www.ethereal.com) and an IDS, like Snort (www.snort.org).
The protocol analyzer is so you can capture all network packets headed to
and from the honeypot/honeynet.  The IDS is another packet capturing backup
and so you can get alerted to any activity and to automate recognizing
predefined attacks.  You need to harden your Honeyd host using the normal OS
hardening tips.  You need to place Honeyd on one machine, and your other
monitoring tools on either the same host or a separate monitoring host.

Let me know how it goes.

Roger

****************************************************************************
****
*Roger A. Grimes, Computer Security Consultant
*CPA, MCSE:Security (NT/2000/2003/MVP), CNE (3/4), A+
*email: roger () banneretcs com
*cell: 757-615-3355
*Author of Malicious Mobile Code:  Virus Protection for Windows by O'Reilly
*http://www.oreilly.com/catalog/malmobcode
*Author of upcoming Honeypots for Windows (Apress)
****************************************************************************
*****

----- Original Message ----- 
From: "wira zanoramy" <zanoramy () streamyx com>
To: <honeypots () securityfocus com>
Sent: Wednesday, March 10, 2004 6:06 AM
Subject: learn about worm


> In order to use honeypot to learn about worms, what are other tools do I
> need? What is the best logging tool for this job? Fyi, now I want to build
a
> win xp honeypot using honeyd.
>
> Thank in advance :)