Honeypots mailing list archives

Previous By Date Next
Previous By Thread Next

Re: logging facility

From: Floydman <floydman () iquebec com>
Date: Thu, 28 Aug 2003 05:02:07 -0400
Well, a honeypot is just a normal system, meant to be hacked into, on which you can apply all sorts of tools, including an IDS (by that I assume you mean NIDS). It is just that on production systems, you cannot use some of these tools for impractical or legal reasons (for example, sniffing and logging all you production traffic would be impractical in terms of volume of data, and would probably break some privacy laws). But for your honeypot, you could very well decide to put a NIDS like Snort, sniff all the traffic with TCPDump, put a HIDS like Tripwire, have a firewall which you keep all the logs, etc... Really, technically, there is not much of a difference, the context have a lot to do with what you call "logging facilities". Since there is not legitimate traffic on the honeypot by definition, all of it is malicious by nature, hence "higher" detection.
If you're still confused with these concepts, I'd recommend that you read Lance Spitzner's papers on www.honeynet.org. 

Floydman

At 08:19 PM 27/08/2003, Motayyam79 () aol com wrote:


Fine, but an IDS can be deployed on a network that doesn't have any
production traffic.
What logging facilities does a honeypot use that makes it more stronger than
normal systems?
_____________________________________________________________________
MSN Messenger, nouvelle version ! Personnalisez vos messages, jouez en
ligne et communiquez en temps réel par vidéo! http://ifrance.com/_reloc/m
Previous By Date Next
Previous By Thread Next

Current thread: