RE: Honeypot Server

[Albert Gonzalez <albertg () cerveau us>]

The bait n switch preproc with snort allows you to redirect traffic that triggered an alert to a honeypot/net which 
combines research and some security features into a honeypot deployment. So they definitely can provide some security. 
Take in mind that any traffic hitting your honeynet is malicious which can act as a warning system.

You can even deploy in a round-robin fashion so if alert is for a windows vuln send to win32 HP and if linux alert send 
to *nix HP and so forth. 

I wrote a paper with Jason Larsen discussing these ideas its called, Fun Things to do with your honeypot.

Hope that helps.
-Albert G.

-----Original Message-----
From: krymson () gmail com
Sent: Thursday, January 17, 2008 3:38 PM
To: security-basics () securityfocus com
Subject: Re: Honeypot Server

"Easy to admin, monitor, alert..." I apologize, but I would first question what your intended purpose for the honeypot 
would be. I get the feeling you want something more like a network tripwire that you don't have to look at I would 
steer you towards an IDS solution like Snort or some other sort of deep inspection firewall or even just your firewall 
logs.

A honeypot, while fun and interesting, is still largely a measure for malware/hacker research as opposed to any real 
security measure. I know you didn't call it a security measure, but it sounds like you want a security measure...? A 
honeypot has very little value to most shops that are not providing actual research.


<- snip ->
Can you advise what is the best honeypot server available
Open-source or commercial - it doesn't matter as long as it will be easy to
administrate and easy to monitor and alerted ...