Honeypots mailing list archives
Re: question (about internal honeypots)
From: "Peter Bates" <Peter.Bates () lshtm ac uk>
Date: Thu, 21 Aug 2003 14:03:51 +0100
Hello all...
<Motayyam79 () aol com> 21/08/03 12:07:36 >>> Just one question. Can honeypots be deployed internally in order to
monitor
for insider attacks?if so how?
I'm having a lot of success with this at the moment, using honeyd (and arpd) on an internal network. I just configured them both to respond to certain addresses across our /24 networks, and they are proving very useful in identifying MSBlaster (by opening tcp/135) and similarly Windows share scanning activity (by also opening tcp/139) ... There's an interesting paper about what they've done at Georgia Institute of Technology at: http://www.tracking-hackers.com/papers/gatech-honeynet.pdf ... ---------------------------------------------------------------------------------------------------> Peter Bates, Systems Support Officer, Network Support Team. London School of Hygiene & Tropical Medicine. Telephone:0207-958 8353 / Fax: 0207- 636 9838
Current thread:
- Re: question (about internal honeypots) Peter Bates (Aug 21)