Snort mailing list archives

Previous By Date Next
Previous By Thread Next

RE: VERY simple 'virtual' honeypot

From: "Earthlink" <paulshaf () earthlink net>
Date: Sat, 9 Mar 2002 12:59:11 -0700
        I don't see how a stock Redhat 6.2 (or some other such "production
environment") would be any good, if the reason for the honeypot is to gain
information about new exploits.  Sure, you'll get alot of traffic, but it
probably won't be much of anything we haven't seen before.

        On the other hand, a synthetic environment that either reveals little or
nothing about itself, or in some way causes an attacket to invoke something
more than casual scanning or probing activity, could, IMHO, be a better way
to elicit new 'sploit attemps.

just my $.02

Paul

-----Original Message-----
From: snort-users-admin () lists sourceforge net
[mailto:snort-users-admin () lists sourceforge net]On Behalf Of Ofir Arkin
Sent: Saturday, March 09, 2002 12:30 PM
To: 'Ryan Russell'
Cc: 'Snort-Users (E-mail)'; honeypots () securityfocus com
Subject: RE: [Snort-users] VERY simple 'virtual' honeypot


Ryan,

You get to pull the attack of the wire only if they complete it...
If they will not get the right response no attack will be performed.

If the aim is to generate responses than you need to have a real
intelligence engine to produce them in a way the engine itself will not
get fingerprinted.

Also, it is more interesting, in my opinion, to simulate real world
production environment style to Honeynets rather than a virtual one with
less functionality.

Ofir Arkin [ofir () sys-security com]
Founder
The Sys-Security Group
http://www.sys-security.com
PGP CC2C BE53 12C6 C9F2 87B1 B8C6 0DFA CF2D D360 43FA

-----Original Message-----
From: Ryan Russell [mailto:ryan () securityfocus com]
Sent: 09 March 2002 18:48
To: Ofir Arkin
Cc: 'Snort-Users (E-mail)'; honeypots () securityfocus com
Subject: RE: [Snort-users] VERY simple 'virtual' honeypot

On Sat, 9 Mar 2002, Ofir Arkin wrote:

In my opinion it will be missing the main point of a Honeynet.


One that that has been gleaned from the honeypots lists is that there
are
many possible reasons for running a honeypot.



We all know that we can cut the foreplay pretty fast (scanning,

probing)

and hit the site with an exploit even without the scanning attempt

(read

this in the context :P). But than what? Exploit fails, not much
information gained, and we miss the funny part.


One of which is to collect new exploits.  As you state, you don't get to
watch the attacker operate once they get a shell, but you do get to pull
the exploit off the wire.

                                        Ryan



_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: