Honeypots: Re: HoneyPot Tools

[Lance Spitzner <lance () honeynet org>]

On Jul 3, 2004, at 11:19, Andy Cuff wrote:

> Hi Ponder,
> Great idea to split them up though how about a slight change in the
> definitions
>
> Low interaction
> no services/ simulated response
>
> Medium Interaction
> Virtual Services (ie detectable to the more advanced attacker)
>
> High Interaction (HI)
> Tools to help control and log output from compromised HI honeypots, as 
> I see
> a high interaction as a fully fledged host in it's own right.
My recommendation is just to do Low/High interaction honeypots.  There 
are so many different flavors of honeypots today that do so many 
different things,  its very difficult to come up with specific 
categories for all of them.  So, my suggestion is to throw anything 
that is a port listener or emulates to low interaction, anything that 
provides real services and applications to high interaction honeypots.  
About the only thing I would consider 'med' interaction is chroot or 
jail environments.
What you can do on your website is list the low-interaction honeypots  
in the order of the interaction. Something like BackOfficerFriendly is 
the most basic,  things like Specter/KFSensor are more interaction,  
and Honeyd the most, but they are all still low-interaction as they all 
pretend to be something else.
Defining/categorizing honeypots is still I think one of its biggest 
challenges :-0
lance