Re: Honey VS Vinegar

[Valdis.Kletnieks () vt edu]

On Wed, 27 Oct 2004 16:30:10 EDT, Polazzo Justin said:

> If you give the IP a DNS entry, the (google/altavista/lycos)bots try and
> index your IIS/Apache honeypot and you get a false alarm, even though
> the nicer ones may turn around after a robots.txt is found the traffic
> is recorded. 

I'm not at all sure that just giving it a DNS entry will cause that behavior.
For starters, the bots can't find it unless you're silly enough to allow
DNS AXFR from random sites.  I'm pretty sure you need to "seed" it with a
followable reference to get them to find it.

> Does this compromise the integrity of your honeypot?

Depends on what you define as "integrity".  Merely getting indexed by
a googlebot shouldn't compromise the actual security integrity of the
machine - if it did, every webserver out there would be blocking the
Google bot IP address range.. ;)

Whether it impacts your *results* because the server is more visible is
another story entirely.

> Is this entrapment? Will you only observe known exploits through this
> type of lure?

Depends.  Does your threat model assume that a non-script-kiddie is going
to want to possibly lose that 0-day he's been using to get into sites?

> I know how I feel (1: Ignore the searchbots, 2: Entrapment? they
> shouldn't be trying to compromise servers via Google so go ahead and 3:

More importantly - they aren't *compromising* the server via Google, any more
than if I call you on the phone and get you to buy into a scam, I compromised
you via the phone book.  The only thing that Google is providing is a pointer
to machines that can be compromised.

> Even known exploits can make room for nice code storage), but was
> wondering what conclusions others have reached, and more importantly: To
> those who automatically publish their logs: How do you automagically
> clean all of this up?

find /path -mtime +30 -exec rm {} \;   works wonders. ;)

Attachment: _bin
Description: