Honeypots mailing list archives
Re: Question
From: "Tom Wright" <tom () keyfocus net>
Date: Tue, 19 Aug 2003 09:58:53 +0100
Hmm, I'm beginning to think the concept of 'medium' or 'middle' interaction may be a bad term. It may be better to just think in terms of 'low' interaction and 'high' interaction. Low interaction being emulated (Specter, KFSensor, Tiny Honeypot), high interaction being real systems or applications (ManTrap, Honeynets).
The lines between 'medium' and 'low' are becoming more blured when it comes to classifying products. It makes sense to distinguish honeypots based on emulations from real systems, this is a clear line. However classifying all emulation software as 'low interaction' is a bit misleading. For example here is how I would define levels of an SMTP server interaction. The first three levels can all be done by emulation and of course a real system can do all four. Low interaction: Display server banner and allow attacker to attempt to log on, but reject all user/passwords. Medium interaction: Allow attacker to log on and send emails to the server. High interaction: Allow the attacker to use the server to relay mail to anywhere on the internet. Very high interaction: Allow attacker complete admin control of the SMTP server, or to execute a succesful buffer overflow attack. Maybe we need two distinctions one to say real/emulation and another one to indicate the level of functionality on offer. - Tom http://www.keyfocus.net
Current thread:
- Question Motayyam79 (Aug 18)
- Re: Question Richard Stevens (Aug 18)
- Re: Question Lance Spitzner (Aug 18)
- Re: Question Tom Wright (Aug 19)
- RE: Question Faiz Ahmad Shuja (Aug 18)
- <Possible follow-ups>
- question Motayyam79 (Aug 21)
- Re: question Sam Varughese (Aug 21)
- RE: question Faiz Ahmad Shuja (Aug 21)
- RE: question Sergey V. Gordeychik (Aug 21)
- question Motayyam79 (Sep 01)
- Re: question Valdis . Kletnieks (Sep 01)
- RE: question Nick Duda (Sep 01)