Honeypots mailing list archives
RE: Moving forward with defintion of honeypots
From: "Gonzalez, Albert" <albert.gonzalez () eds com>
Date: Tue, 20 May 2003 15:15:07 -0400
Honeypots are illusions you weave for the attacker. Though with that said, I don't think that patching your honeypot to catch the information is deceptive. all my *none* honeypot systems employ similar patches[1] as a security measure for that day I might get compromised. My high interaction honeypots are physical systems running the real os for the attacker to play with. I haven't held a gun to his head or threaten to kill Ginger making him compromise my box, so I don't know what I did to deceive him? Cheers, Alberto Gonzalez [1] - These patches include having bash log commands to a non-default location, syslog patches, etc... Just in case I get compromised, most "common" trail hiding techniques will be defeated.
-----Original Message----- From: Jeremy Bennett [mailto:jeremy_f_bennett () yahoo com] Sent: Tuesday, May 20, 2003 1:07 PM To: Lance Spitzner; honeypots () securityfocus com Subject: Re: Moving forward with defintion of honeypots Not sure I agree, Lance. To say you don't do anything "special" to lure attackers to the honeynet is a bit dubious. You attempt to make your honeypots look as much like real systems as possible. I would call that using deception or artifice to insnare your prey. If I'm a duck hunter I make my decoy look as much like a duck as possible. I don't try to make it look better than a duck. By making your honeypots look more like real systems you are making your decoys look like the things your prey seeks. I understand the desire to move away from the "negative' words like decoy and deception but the fact is that is exactly what we're doing and there's nothing wrong with it. I believe decoy is absolutely the correct term for the honeynet. There is a question whether a low-interaction honeypot like honeyd deployed as an early warning system qualifies as a decoy. In this case it is more akin to a trip wire or doorway sensor than it is to a decoy. However, even in this scenario, we are still attempting to make a "machine" look as much like a real host as possible. Thus, still a decoy or a lure. When honeyd logs activity it is just like the fisherman's lure bobbing in the water. As they say "A rose by any other name..." -J
Current thread:
- Re: Honeypot Defintion - Almost There!, (continued)
- Re: Honeypot Defintion - Almost There! Jon Price (May 25)
- Message not available
- Re: Honeypot Defintion - Almost There! Marc Dacier (May 23)
- Re: Honeypot Defintion - Almost There! Valdis . Kletnieks (May 23)
- RE: Honeypot Defintion - Almost There! David Gillett (May 23)
- Re: Moving forward with defintion of honeypots Bill McCarty (May 24)
- Re: Moving forward with defintion of honeypots Scarecrow (May 24)
- Re: Moving forward with defintion of honeypots nigel (May 20)
- RE: Moving forward with defintion of honeypots SRH-Lists (May 20)
- RE: Moving forward with defintion of honeypots Thomas,Richard (May 20)
- RE: Moving forward with defintion of honeypots Colm Murphy (May 20)
- RE: Moving forward with defintion of honeypots Gonzalez, Albert (May 20)
- RE: Moving forward with defintion of honeypots eohlson (May 21)