Re: Question

[Richard Stevens <mail () richardstevens de>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,

> I have a query. Can anyone tell me the difference between low interaction
> honeypots and middle interaction honeypots? I am finding it confusing to
> distinguish between the two. do they both emulate network services? are
> they both software running on operating systems?

I'm not sure if the following distiction meets everyones understanding but I 
usually describe the two the following way:

Low Interaction: Fully emulated services without functionality. You get a 
banner or login and password prompts but there is no way the emulated service 
actually offers functionality, e.g. permit some sort of shell after telnet 
login. You'd always get a permission denied in case of telnet. 


Medium Interaction: MI-honeypots offer limited simulated services but still 
not the real thing. An example would be an emulated webserver that offers 
enough functionality for a worm to "think" it's a valid target and drop of 
the payload but actually starting it would be impossible. Another example 
would be a successful telnet login that simulates some sort of unix system, 
maybe in a jail or completely simulated. Whatever solution is chosen, you 
still don't have the real thing. Medium interaction is everything between 
simple banners and the real service. 


I think this is an interesting question. I'd be interested in other people's 
thoughts on this.

Regards,

Richard
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)

iD8DBQE/QPBBCfA4EwqVdIQRAjw7AKC7tGnN+UE34ckBZQ9y6tPo11xL2QCfSwT1
pjUUTXMZTlClmkN2gA9DtOI=
=uwl1
-----END PGP SIGNATURE-----