Re: Effectiveness of a Honeypot

From: Joe Dauncey (toothbrushhead@yahoo.com)
Date: 08/29/01 

Message-ID: <3B8CB17E.3FA518E0@yahoo.com>
Date: Wed, 29 Aug 2001 10:10:22 +0100
From: Joe Dauncey <toothbrushhead@yahoo.com>
To: focus-ids@securityfocus.com
Subject: Re: Effectiveness of a Honeypot

Hello,

I'm not sure whether this is really a Honeypot or an IDS, but this is
what we did when one of our customers had a Code Red infestation.

We had a couple of UNIX webservers already on the network, and we
monitored their logs to see what hosts were trying to infect them.
Admittedly it only caught a subset of the infected hosts, but it was
very useful. We also used them for some time after we thought they were
all closed off so as to catch anything we'd missed.

So, is that an IDS or a Honeypot ? Or is it just semantics ?

The key point though was that this customer didn't have an internal IDS,
so we had to improvise with the resources available.

Joe

"Reeves, Michael (GEAE, Compaq)" wrote:
>
> I will give my 3 cents on this issue. Unless you are wanting to do research
> on new tools in the wild or trying to learn a little about root kits etc. I
> feel honeypots are more of a risk than anything. What better way to draw
> attention to your network than having a wide open host. Now if you are
> looking to snag someone internal they are great as long as they are not
> accessable via the net. I am just not sure how effective sacraficing a lamp
> to save the herd when it brings all the hungry wolves to the fence.
>
> Mike
>
> -----Original Message-----
> From: matheny [mailto:matheny-ids@dbaseIV.net]
> Sent: Sunday, August 26, 2001 2:45 PM
> To: focus-ids@securityfocus.com
> Subject: Effectiveness of a Honeypot
>
> Has anyone done an analysis on the effectiveness of a honeypot? I checked
> out the
> honeynet project, but they didn't have anything like what I was looking for.
> The
> reason I bring it up is, it seems that a honeypot would be almost completely
> useless. My thinking behind this is a.) script kiddies generally go after
> machines
> that are exploitable, and don't neccesarily care about an interesting target
> so
> this probably won't divert them from attacking and b.) your experienced
> hackers
> will probably realize this is a honeypot (maybe, maybe not, but this has
> been my
> experience). So neither of these people are being diverted by the honeypot.
> Anyone
> have any positive or negative experiences with honeypots in the real world?
> -Blake

_________________________________________________________
Do You Yahoo!?
Get your free @yahoo.com address at http://mail.yahoo.com

Relevant Pages

  • RE: Effectiveness of a Honeypot
    ... Subject: Effectiveness of a Honeypot ... A lot of security professionals will agree with Mike. ...
    (Focus-IDS)
  • RE: Effectiveness of a Honeypot
    ... Subject: Effectiveness of a Honeypot ... on new tools in the wild or trying to learn a little about root kits etc. ... this probably won't divert them from attacking and b.) ...
    (Focus-IDS)
  • RE: Effectiveness of a Honeypot
    ... Subject: Effectiveness of a Honeypot ... There must be intent to commit a crime before one can be brought up on ... the law must be written before it is a crime. ...
    (Focus-IDS)
  • RE: Effectiveness of a Honeypot
    ... Subject: Effectiveness of a Honeypot ... 2.Exploit Based (Use a Set of Exploits against a chosen target) ... people are setting-up Webservers all over the company's ...
    (Focus-IDS)
  • Using an IDS to redirect hostile traffic to a Honeypot
    ... IDS interactive than just dropping route or resetting sessions. ... actively redirect traffic from hostile sourceIP's to a honeypot. ...
    (Focus-IDS)
Quantcast