RE: deploying honeypots...

["Connell, Graeme S" <gconnell () middlebury edu>]

Rasyid,

  The first question is a very good one, and, as with most good questions, there really isn't a good answer.  If you're 
looking at how old exploits are used against unpatched systems, then by all means use older versions of operating 
systems and hardware.  However, if you're looking at what attacks are used against fully-hardened systems, update all 
your patches and programs before deploying the honeynet.  Generally, I like to use stuff that's a few months to a year 
old, with a few known exploits.
  The problem is also to attract an attacker.  Easy systems will be picked up by script-kiddy automated scans and will 
probably be attacked much more regularly than patched or hardened boxes.  And unless you make the box very tempting 
(name it "bank_of_america.com", use tempting honeytokens, or something like that), most attackers will balk at 
attacking a secure box in favor of easier targets.

  Regarding your second question, I'm not entirely sure how you're planning on using neural networks within your 
honeynet.  Are you examining traffic and attempting to determine when an attack occurs?  If so, a honeynet may not be 
the best place to train the network, since ALL traffic within a honeynet is attack traffic (no baseline).  Could you be 
more specific as to exactly what part your neural network will play in the honeynet?

        --Graeme Connell



-----Original Message-----
From:   cyb3rh3b () kecoak or id [mailto:cyb3rh3b () kecoak or id]
Sent:   Fri 8/19/2005 9:21 PM
To:     honeypots () securityfocus com
Cc:     
Subject:        deploying honeypots...
hi,

i've been reading about honeypots technology since a couple of month, but i
never deploy one. It's my final term on college now and i am planning to build
a honeynet with artificial neural network integrated in it system...

first of all...i am trying to build my own honeynet, but there's some problem
appear about it's topology. I am going to use 2 kind of OS as a target behind a
honeywall, it's windows XP and gentoo linux. My question are:

1. should i use full defending system for both OS (especially for windows,
should it patched with new patched or just left it) or just left them as
default
system?

2. I am planning to use data from scan of the month challange as base for the
artificial neural network application and trained it in honeynet network, i
haven't download those data so i don't know yet if the data captured was design
to server area honeynet or personal machine honeynet, so i still have no idea
what kind of honeypot machine especially for windows i should build here,
should i run server or just personal machine?!if it server...then what kind of
service is common to be used in honeynet?

i think just 2 question for now :P, im not speaking english fluently so im
really sory if my speaking here is bad...


warm regards,
Rasyid



----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.