RE: Honeypots: Uses and Features

["Gonzalez, Albert" <albert.gonzalez () eds com>]

IMHO I don't believe logging connections to closed ports is that important,
though it has its usage. I personally would log after a certain threshold is
exceeded, this could catch people knocking hard on certain ports. This would
help various trending sites like incidents.org and or dshield.org. Other
people might have different views as some like knowing everything that is
knocking on the door. Hope that helps!

 Cheers,
 Alberto Gonzalez 


> -----Original Message-----
> From: Larissa Fricker [mailto:lft () netsec ch] 
> Sent: Tuesday, June 03, 2003 11:02 AM
> To: honeypots () securityfocus com
> Subject: Re: Honeypots: Uses and Features
>
>
>
> How important is logging every connection attempt on every
> (closed) port for a production honeypot?
>
> Because it multiplies the number of 'irrelevant' security incidents
> and as a result also considerably increases the number of alerts,
> I feel that it might cause more bad than good in a production
> honeypot, where a low rate of false alerts is paramount.
>
> I realize that the situation is completely different for 
> research setups.
>
> What do you think?
>
>   Lara
>
> --------------------------------------------------------------------
> N E T S E C - Network Security Software
> Web: www.netsec.ch  -  Mail: info () netsec ch
> Munzingerstr. 17A - 3007 Bern - Switzerland
> Phone: +41 313760534 - Fax: +41 313760533
> --------------------------------------------------------------------