Honeypots mailing list archives
Attack/Benign Packet Determination
From: Steven DeFord <steve () redlance singingtree com>
Date: Fri, 29 Aug 2003 13:19:39 -0700 (PDT)
I'm new at this, so you'll have to excuse me, but in the handful of white papers I've read, and from reading traffic on this list, I've not seen any clear way that honeypot routers determine what traffic is bad (destined for the honeypot) and which isn't. People on the list seem to assume that "All traffic on the honeynet is inherently an attack," but how does one know which traffic is bad and which isn't? At least, how do you tell any better than an IDS? For example, in a recent post, someone mentioned the fact that a blackhat who's compromised a honeynet host can't get any production information out of sniffing the network, but what if some user's authentication session were misdirected to the honeynet? Then the blackhat could (essentially) passwordsniff legitimate users' logon information, and could then infect production machines more easily. The only benefit of a honeynet, it seems, is improved logging, not due to more accurate packet detection, but simply more loggers. Could not, in theory, one set up a honeynet in the production environment? (Other than the previously-mentioned problem of privacy laws and the like.) Steven DeFord steve () singingtree com
Current thread:
- Attack/Benign Packet Determination Steven DeFord (Aug 29)
- RE: [inbox] Attack/Benign Packet Determination Curt Purdy (Aug 29)
- RE: [inbox] Attack/Benign Packet Determination Roger A. Grimes (Aug 29)
- Re: Attack/Benign Packet Determination Floydman (Aug 29)
- Re: Attack/Benign Packet Determination Mcen navaraj (Aug 29)
- Re: Attack/Benign Packet Determination Valdis . Kletnieks (Aug 29)
- RE: [inbox] Attack/Benign Packet Determination Curt Purdy (Aug 29)