Attack/Benign Packet Determination

[Steven DeFord <steve () redlance singingtree com>]

I'm new at this, so you'll have to excuse me, but in the handful of white
papers I've read, and from reading traffic on this list, I've not seen any
clear way that honeypot routers determine what traffic is bad (destined
for the honeypot) and which isn't.  People on the list seem to assume that
"All traffic on the honeynet is inherently an attack," but how does one
know which traffic is bad and which isn't?  At least, how do you tell any
better than an IDS?  For example, in a recent post, someone mentioned the
fact that a blackhat who's compromised a honeynet host can't get any
production information out of sniffing the network, but what if some
user's authentication session were misdirected to the honeynet?  Then the
blackhat could (essentially) passwordsniff legitimate users' logon
information, and could then infect production machines more easily.  The
only benefit of a honeynet, it seems, is improved logging, not due to more
accurate packet detection, but simply more loggers.  Could not, in theory,
one set up a honeynet in the production environment?  (Other than the
previously-mentioned problem of privacy laws and the like.)


Steven DeFord
steve () singingtree com