Re: Honeypot-questions

From: bacano (bacano@esoterica.pt)
Date: 08/26/01 

Message-ID: <002d01c12e58$2f2777c0$c50b16c3@piii550>
From: "bacano" <bacano@esoterica.pt>
To: <focus-ids@securityfocus.com>
Subject: Re: Honeypot-questions
Date: Sun, 26 Aug 2001 18:54:36 +0100

hi2all,

I'm not an IDS expert, but it's weekend and I got nothing to do =;o)

From: "Axel Hammer" <info@daten-treuhand.de>

> Now, how to realise such a honeypot? Is an IDS able to direct faulty
> requests to such a honeypot?

I suppose that for the IDS it doesn't matter the goal of a system
(production/firewall/honeypot/mail/...), it will have to spot the intruders
anyway.

> What is the best system used for a honeypot?

Wide used systems for more 'feedback'; the system you use in your servers
for you can take more advantage of it.

> Would you suggest an actively unsecured system in a firewalled sandbox,
which gets restored
> every two weeks from scratch? Or do you rather install a real challenge,
> highly secured like any other usual server?

Well ... a nice challenge just a little less secure than the usual it's ok
... you don't want a honeypot with no intruders (that is a firepot eheheh)
and you don't want an unsecured system to the point that you will not learn
anything with it.

> How to gain attention from an attacker?

hhmmm ... just wait, they will show up ... in a situation like that I
usually just go out fishing =;o)

> Does it make sense to code some special app's that behave like 'real'
servers but may not cause any harm?

If it is an add, it's a good idea and you got nothing to loose, go for it.

> And after all, why not use the spent time and hardware into securing the
> existing servers a little bit more rather than maintaining another
> system?

And why not have both? in the end, a honeypot is a tool for you can secure
your systems better. You can learn from your IDS/logging systems, and even
if you use to pen-test your own systems, this way you will have an easy 2nd
opinion, well ... more like lots of opinions, wich is allways good :>

[ ]'s bacano

Relevant Pages

  • Using an IDS to redirect hostile traffic to a Honeypot
    ... IDS interactive than just dropping route or resetting sessions. ... actively redirect traffic from hostile sourceIP's to a honeypot. ...
    (Focus-IDS)
  • Share your Honeypot and IDS experiences with the masses
    ... Detection and honeypot products for the various operating systems (including ... The tight integration between all these security components in the network ... You can think of interactions between the firewall, the IDS ... and Intrusion Detection systems. ...
    (Focus-IDS)
  • Re: Anamoly based network IDS
    ... > base IDS and protocol based IDS ... plugin for the honeypot Honeyd that not only detect and logs ... Exploiting Web Applications- A Step-by-Step Attack Analysis ...
    (Focus-IDS)
  • Re: Blackhole
    ... Makes me want to ditch the 6 redhat servers I'm running ... If you connect a machine to the Internet and forget to install the OS ... For a honeypot test, you usually compare break-in times with an up-to-date ...
    (RedHat)
Quantcast