Honeypots mailing list archives
Re: Introducing the Tactical Honeynet Deployment Project
From: "Michael Anuzis" <michael_anuzis () hotmail com>
Date: Tue, 02 Sep 2003 10:47:00 -0400
Both solutions are viable. Deploying a server expected to have less traffic and having it appear to be idle for the most part, or deploying a server expected to have tremendous traffic. The concern is, and this is the focus of the Tactical Honeynet Deployment Project, if you are going to put down an Oracle server for example, the common misconception is you can't just leave it sitting idle, and you can't just use it a bit here and there to make it look pseudo-real. If you are going to deploy a honeypot as sophisticated as an Oracle server or other database server, a greater emphasis needs to be placed on the deception involved. Scripts should be running on several remote hosts that access the Oracle-DB honeypot and alter it on a regular basis. If you want the level of deception to be high, the honeypot must match the production machine in as many ways as an experienced blackhat would be able to detect. If the production machine gets over 5,000 connections/day from fifteen different machines, so too should the honeypot.
An interesting whitepaper, and one that I would be pleased to host at the Tactical Honeynet Deployment Project, would be one involving specific deployment scenarios for various types of servers. For example, a whitepaper detailing how to deploy an Oracle server, detailing all the tricks/techniques that can be used to raise the level of deception to its peak. Such a whitepaper might include a script similar to honeyd. The different would be instead of emulating a particular type of server from a bunch of IP addresses (honeyd), the script would generate Oracle traffic that looks real from several IP addresses (realize, the script would have to be run in the same broadcast domain as the honeypot so the script could fully-spoof the TCP connections). If anyone is working on such a whitepaper please keep me updated on it. A whitepaper on MySQL, Postgres, Postfix, or Apache, etc, servers would also be interesting. Details on how to manipulate the level of deception on each particular server. Details on the psychological motives that can be deployed in each, such as what can make it more appealing, what can make it a turn off or a give-away? Any particular control issues to worry about for that particular server. Anyone working on such whitepapers is welcome to contribute that work to our project.
The honeynet community can expect a whitepaper from THDP to be released soon along these lines but on a very useful and deceptive honeynet deployment we believe has not been taken advantage of yet.
Regards, Michael Anuzis, CCNA Network Security Consultant Mobile: 248.376.7030 CTO, Advanced DataTactics, Inc. CTO, Advanced InfoTactics, Inc. Project Coordinator: http://www.thdp.org
From: Lance Spitzner <lance () honeynet org> To: Valdis.Kletnieks () vt edu CC: honeypots () securityfocus comSubject: Re: Introducing the Tactical Honeynet Deployment Project Date: Tue, 2 Sep 2003 08:00:59 -0500 (CDT)On Mon, 1 Sep 2003 Valdis.Kletnieks () vt edu wrote: > > And a good honeypot should look like a production server to pull them > > away from the true targets, right? I would think that df and ps should > > turn up exactly what would look right for the machine it's supposed to > > be. Or am I way off base? >> One quick 'df' tells me if I'm on our production Oracle server or our test Oracle > server, because the test server has only one terabyte of disk on it. Similarly> for 'ps'... One of the common threads I've seen are people concerned about honeypots being detected because of little activity. As such, a great deal of focus has been on adding more 'activity' to the honeypots. Why not take a different approach and deploy honeypots that are expected to have less activity. For example, deploy a webserver, but have it 'under construction'. As its still being built, it would not have any production traffic, and would have minimal activity. Vladis, you mention the idea of a test Oracle system. Why not create a honeypot that has the illusion of being a test system? Or perhaps an outdated mail server that has been shutdown, but one an admin has forgotten to remove from the network? Just a though, there is always more then one direction to try out. lance
_________________________________________________________________Get MSN 8 and enjoy automatic e-mail virus protection. http://join.msn.com/?page=features/virus
Current thread:
- Re: Introducing the Tactical Honeynet Deployment Project, (continued)
- Re: Introducing the Tactical Honeynet Deployment Project Chris Brenton (Sep 02)
- Re: Introducing the Tactical Honeynet Deployment Project Tom Britten (Sep 02)
- Re: Introducing the Tactical Honeynet Deployment Project Thomas Jones (Sep 02)
- Re: Introducing the Tactical Honeynet Deployment Project Valdis . Kletnieks (Sep 02)
- Re: Introducing the Tactical Honeynet Deployment Project Valdis . Kletnieks (Sep 01)
- Re: Introducing the Tactical Honeynet Deployment Project Valdis . Kletnieks (Sep 01)
- Re: Introducing the Tactical Honeynet Deployment Project Scott Garman (Sep 02)
- Re: Introducing the Tactical Honeynet Deployment Project Chris Reining (Sep 02)