Honeypots mailing list archives
Re: logging facility
From: Floydman <floydman () iquebec com>
Date: Thu, 28 Aug 2003 05:05:34 -0400
At 04:42 AM 28/08/2003, KeyFocus wrote:
> Fine, but an IDS can be deployed on a network that doesn't have any > production traffic. By exposing vulnerabilities a honeypot will generate a lot more interesting traffic than the basic scans you would get with this set up. > What logging facilities does a honeypot use that makes it more stronger than > normal systems? > An IDS that logs everything is as strong as you can get in terms of the data captured. However there a number of additional benefits a honeypot can bring such as: Fragmentation attacks can be easily combined into their correct sequence. Multiple packets that make up a session can be combined and logged together making it much easier to analyse than dozens of separate packets scattered accross an IDS log. Encrypted traffic such as that to an SSL web server can be decrypted and logged. - Tom www.keyfocus.net
All true, but then again, this is all possible because you don't have to filter the "good" traffic out of the "bad" traffic. Since all the traffic is bad, you can capture it all and then perform advanced analysis on it, which would be harder to achieve with the same accuracy on a prod network.
My 2 cents Floydman
Current thread:
- logging facility Motayyam79 (Aug 27)
- Re: logging facility Valdis . Kletnieks (Aug 27)
- Re: logging facility George Washington Dunlap III (Aug 27)
- Re: logging facility Floydman (Aug 27)
- <Possible follow-ups>
- Re: logging facility Motayyam79 (Aug 27)
- Re: logging facility Richard Stevens (Aug 28)
- Re: logging facility KeyFocus (Aug 28)
- Re: logging facility Floydman (Aug 28)
- Re: logging facility Floydman (Aug 28)
- Re: logging facility Motayyam79 (Aug 28)
- Re: logging facility KeyFocus (Aug 28)
- Re: logging facility urbn (Aug 29)
- Re: logging facility KeyFocus (Aug 29)
- Re: logging facility KeyFocus (Aug 28)
- Re: logging facility Valdis . Kletnieks (Aug 28)
- Re: logging facility Edward Balas (Aug 29)
- Re: logging facility Valdis . Kletnieks (Aug 27)
- Re: logging facility Peter Bates (Aug 28)
- Re: logging facility Ryan Barnett (Aug 29)