Re: Introducing the Tactical Honeynet Deployment Project

[Lance Spitzner <lance () honeynet org>]

On Mon, 1 Sep 2003 Valdis.Kletnieks () vt edu wrote:

> > And a good honeypot should look like a production server to pull them 
> > away from the true targets, right? I would think that df and ps should 
> > turn up exactly what would look right for the machine it's supposed to 
> > be. Or am I way off base?
>
> One quick 'df' tells me if I'm on our production Oracle server or our test Oracle
> server, because the test server has only one terabyte of disk on it.  Similarly
> for 'ps'...

One of the common threads I've seen are people concerned about honeypots
being detected because of little activity.  As such, a great deal of 
focus has been on adding more 'activity' to the honeypots.  Why not
take a different approach and deploy honeypots that are expected to have
less activity. For example, deploy a webserver, but have it 'under
construction'.  As its still being built, it would not have any production
traffic, and would have minimal activity.  Vladis, you mention the idea
of a test Oracle system. Why not create a honeypot that has the illusion
of being a test system? Or perhaps an outdated mail server that has been
shutdown, but one an admin has forgotten to remove from the network?

Just a though, there is always more then one direction to try out.

lance