Honeypots: Re: HoneyPot Tools

[MrDemeanour <mrdemeanour () jackpot uk net>]

Lance Spitzner wrote:
> Defining/categorizing honeypots is still I think one of its biggest 
> challenges :-0
My view exactly - but isn't that part of the the point? If it were easy 
to pin down your host based on some kind of behaviour-profile, then you 
lose. But a network that contains (maybe) real hosts, one or perhaps one 
or more honey-aware routers, and (who knows?) some kinds of 
honey-servers, would present a confusing proposition to an attacker.
Suppose a real host were running one or two honey-services, in addition 
to doing it's regular job? Suppose a real host, with a real job, were 
mirrored by a virtual host? Suppose an LI honeypot were collaborating 
with the honey-router, and spoofing its services in such a way that they 
appeared to be running on one of the real hosts?
I don't know that a Hall Of Mirrors like this is quite what one wants; 
something a bit more like Kafka's Castle is what's wanted - the visitor 
is presented with an impossible mess of bureaucracy, truths pretending 
to be lies, half-truths, and out-and-out lies.
Another literary metaphor, full of lies about lies, might be The Magus, 
by John Fowles. In the story, the protagonist is sucked into a seductive 
set-up on a greek island, complete with actors paid to help take him in. 
Two of these actors are twins - one of them "falls in love" with the 
protagonist.
I'd like the unwelcome visitor to be unsure when he was talking to a 
real, live service; when he was talking to a real service that had been 
set-up as a 'pot, and was being traced in real-time; when he was talking 
to the shadow of a real, live service, and when he was talking to an 
actor (or another actor that was the spitting image of the first actor).
In all this drivel, I'm envisaging the network being a live network, and 
the honey-bits are contrived either to deter or to detect - I'm not 
really thinking about a completely phony network.
--
Jack.