Honeypots mailing list archives
Re: http fake service
From: gminick <gminick () hacker pl>
Date: Sun, 9 Feb 2003 18:55:07 +0100
On Sun, Feb 09, 2003 at 12:08:01PM -0800, Alberto Gonzalez wrote:
Mos't attackers/worms identify a server with its banner. With a HTTP emulation (fake) you can emulate ANY banner you want. If this is a research honeypot, you will probably be receiving plenty of exploits if you emulate some old vulnerabile IIS stuff[1].
You're right, but then you're losing a possibility to look what they're doing after the exploit succeeds. That kind of honeypot is easier to play with, but you lose a lot, no way to capture their tools, maybe some IRC talks, behaviors after break-in... ps. please, cut useless quotes and signatures. -- [ ] gminick (at) underground.org.pl http://gminick.linuxsecurity.pl/ [ ] [ "Po prostu lubie poranna samotnosc, bo wtedy kawa smakuje najlepiej." ]
Current thread:
- http fake service dhanu bahirat (Feb 09)
- Re: http fake service gminick (Feb 09)
- RE: http fake service Alberto Gonzalez (Feb 09)
- Re: http fake service gminick (Feb 09)
- RE: http fake service Alberto Gonzalez (Feb 09)
- Re: http fake service gminick (Feb 09)