Honeypots mailing list archives
Re: An Idea for Discussion for HoneyView
From: Pascal Charest <praetori () step polymtl ca>
Date: Thu, 1 May 2003 10:15:54 -0400 (EDT)
I wonder if this is really applicable. We are speaking of a very high overhead for little result. I don't think the database would really be usefull in a production environnement, since you cannot really block a entire router (we are more than a million here that have as first gateway one of the videotron.com routeur). The other problem would be the bandwith asked by this operation, we are speaking of slowing down the speed of the login to crawl. I would also wonder if there would be usefull result, since an hacker might decide to use anonymous proxy, vpn, modified ircbot, hacked computer... all of wich would compromise your data accuracy. My 2cents... Pascal Charest :: Alias: Praetorian Administrateur du STEP et Coopoly Gestionnaire de DagWave Media Ecole Polytechnique de Montreal On Thu, 1 May 2003, Karl Hable wrote:
I found one lack when analyzing the data captured from honeyd. You won't get really an idea who maybe the same person who visited you. It's not possible to decide this because providers normally give ip-adresses from a pool to their dialin-users. These ip-pools often span more class-C nets. so its often in the dark who comes from the same origin. So ... you always do the same ... traceroute the ip and look from where he comes ... but 5min later your won't remember. So .. i got the idea to let a cron-job traceroute all new ip-adresses an store the routing-information also in honeyview's database. Now you were able also to query your visitors by the rule -> list me all guy's coming over Router aaa.bbb.ccc.ddd now you see definitly all guy's coming from the same dialin-point and you'll see all ip-adresses a certain dialin-point has in his bag (after a certain amount oft time) in a production environmet will this give you the information for defining filterruls for your firewalls which ip's you proably completly block i'm intested what you think of this suggestion karl hable
Current thread:
- An Idea for Discussion for HoneyView Karl Hable (May 01)
- Re: An Idea for Discussion for HoneyView Matt Bruce (May 01)
- Re: An Idea for Discussion for HoneyView Pascal Charest (May 01)
- Re: An Idea for Discussion for HoneyView Valdis . Kletnieks (May 01)