Honeypots mailing list archives

RE: Honeypot/net IDS System

From: <ravivsn () roc co in>
Date: Tue, 24 Feb 2004 22:27:49 +0530 (IST)

 After a quick thinking on use of honeypots, i have some few things to
wonder.
 - If the applications like SMTP are fully secured using the
anitspam,anitvirus softwares before a security patched server, then what
is the role of HoneyPot in the network .
 - Using Honeypots will only increase the traffic onto the LAN under
consideration as it attracts hackers to come in
 - honeypots can only trace out the hacker but it cant identify a possible
threat, unless administrator goes thro the logs it is difficult to
identify.

  A most helpful solution could be honeypot working in hand with intrusion
protection systems or NIDS. Currently, with the tools ADMMutate NIDS are
being cheated, Honeypot with NIDS can attract the hacker and we can know
his real intentions using enhanced honeypot . I believe this would be a
good combination.

Cheers
-Ravi
ROCSYS Technologies Limited
INDIA
http://www.rocsys.com

I'm puzzled by everyone's interest in "fake honeypot" systems. I've
run a couple of them for several years and there is almost NO traffic
even though I have a bunch of email addy's on web pages for
spamscrapers to find.


is it possible that everone has finally got of the bumps and started
securing their computer systems ? and they are deploying the honeypots
as a part of the "proactive security policy" ;)

Running a tarpit as the front end of our mail system catches bunches
of spammers. Why wouldn't you do that instead? It is much more
effective and eliminates the spam from our incoming MTA as well as
killing the net traffic associated with the spam. Since spam
outnumbers real messages by more than 10 to 1 (at least here), this is
beneficial.



running a tar pit can be achieved by using a combination of postfix +
spam assassain + avirmail  cuts the spam by 99% and is very effective
for cutting down all the spam traffic

the postfix server can issue a error 550 in the middle of the DATA
statement if needs be if the incomming connection is determined to be
spam. it also works on dns resoultions, the to & from headers and other
cretieria

- this is very easy to setup and maintain- i use it in my production
network and it net accessiable without any thing in the front.

works like a charm and is rock steady, ofcourse the server running is
hardened openbsd.

-aditya

Current thread:

Honeypot/net IDS System Daniel Roth (Feb 22)
- Re: Honeypot/net IDS System Michael Robinton (Feb 22)
  - Re: Honeypot/net IDS System captgoodnight (Feb 22)
  - RE: Honeypot/net IDS System Aditya, ALD [Aditya Lalit Deshmukh] (Feb 24)
    - RE: Honeypot/net IDS System Michael (Feb 24)
    - RE: Honeypot/net IDS System ravivsn (Feb 24)
    - RE: Honeypot/net IDS System Michael (Feb 25)
    - Re: Honeypot/net IDS System Valdis . Kletnieks (Feb 25)
    - Re: Honeypot/net IDS System Ian Baker (Feb 24)
    - Re: Honeypot/net IDS System Michael (Feb 25)
    - RE: Honeypot/net IDS System Aditya, ALD [Aditya Lalit Deshmukh] (Feb 27)
    - RE: Honeypot/net IDS System Michael (Feb 27)
    - Re: Honeypot/net IDS System Niels Provos (Feb 27)