Honeypots mailing list archives
Re: logging facility
From: Floydman <floydman () iquebec com>
Date: Wed, 27 Aug 2003 15:18:11 -0400
It's easy. A honeypot is by definition a system (or a set of systems) delibarately mean to be hacked as bait, thus no real production traffic occurs on these networks. So, all the traffic on it is suspicious by nature. On production networks, the difficulty for IDS is that it has to determine through all the traffic which one is legitimate and which one is suspicious. What can happen at this point is that either a) malicious traffic is effectively identified as such; b) malicious traffic is erroneously identified as valid traffic, causing an attack to go undetected; or c) valid traffic is erroneously identified as suspicious traffic, which causes false alarms that can, in the long run, bring the atention brought to these alarms to decrease, which can eventually cause rightly detected intrusion to be overlooked by the people assigned to protecting the network. These issues does not occur on a honeypot because in normal usage, there should be no traffic at all on it. As soon as there is activity, it means that something wrong is occuring. The challenge for IDS developpers/users is to configure it in such a way that it increases the occurences of a) while decreasing as much of possible b) and c), which implies good knowledge of networking protocols and what is to be considered valid traffic on your network.
Hope this helps. Floydman At 01:36 PM 27/08/2003, Motayyam79 () aol com wrote:
Hi all, what makes the logging capability on honeypots far stronger than normal systems like IDS? thanks, _____________________________________________________________________ MSN Messenger, nouvelle version ! Personnalisez vos messages, jouez en ligne et communiquez en temps réel par vidéo! http://ifrance.com/_reloc/m
Current thread:
- logging facility Motayyam79 (Aug 27)
- Re: logging facility Valdis . Kletnieks (Aug 27)
- Re: logging facility George Washington Dunlap III (Aug 27)
- Re: logging facility Floydman (Aug 27)
- <Possible follow-ups>
- Re: logging facility Motayyam79 (Aug 27)
- Re: logging facility Richard Stevens (Aug 28)
- Re: logging facility KeyFocus (Aug 28)
- Re: logging facility Floydman (Aug 28)
- Re: logging facility Floydman (Aug 28)
- Re: logging facility Motayyam79 (Aug 28)
- Re: logging facility KeyFocus (Aug 28)
- Re: logging facility urbn (Aug 29)
- Re: logging facility KeyFocus (Aug 29)
- Re: logging facility KeyFocus (Aug 28)
- Re: logging facility Valdis . Kletnieks (Aug 28)
- Re: logging facility Valdis . Kletnieks (Aug 27)