Honeypots mailing list archives
Re: logging facility
From: Valdis.Kletnieks () vt edu
Date: Wed, 27 Aug 2003 13:57:06 -0400
On Wed, 27 Aug 2003 13:36:34 EDT, Motayyam79 () aol com said:
what makes the logging capability on honeypots far stronger than normal systems like IDS?
First off, I'm not at all convinced that the logging capability *itself* is any stronger. If it was, the IDS could just use the stronger capability itself. The major benefit a honeypot has is that you have very few issues with false positives - after all, a honeypot is basically just an IDS parked someplace where it *shouldnt* see traffic, so all the traffic it gets is presumably from people who are up to no good. An IDS on a production system can be a bad time if a specific Oracle query used by the payroll system happens to false-positive a Snort rule (Yes, I've seen it happen - it wasn't pretty.. ;)
Attachment:
_bin
Description:
Current thread:
- logging facility Motayyam79 (Aug 27)
- Re: logging facility Valdis . Kletnieks (Aug 27)
- Re: logging facility George Washington Dunlap III (Aug 27)
- Re: logging facility Floydman (Aug 27)
- <Possible follow-ups>
- Re: logging facility Motayyam79 (Aug 27)
- Re: logging facility Richard Stevens (Aug 28)
- Re: logging facility KeyFocus (Aug 28)
- Re: logging facility Floydman (Aug 28)
- Re: logging facility Floydman (Aug 28)
- Re: logging facility Motayyam79 (Aug 28)
- Re: logging facility KeyFocus (Aug 28)
- Re: logging facility urbn (Aug 29)
- Re: logging facility KeyFocus (Aug 28)
(Thread continues...)
- Re: logging facility Valdis . Kletnieks (Aug 27)