Re: Honeypot/net IDS System

[Michael Robinton <michael () insulin-pumpers org>]

On Sun, 22 Feb 2004, Daniel Roth wrote:

> Hi!
>
> I wrote here some months ago about a project I and som friends have been
> asked to do.
> It is up and running now, and we would really(!!) like to have som
> feedback, thoughts and
> ideas before we start using the system sharp. We're currently in a
> testphase.
>
> http://jackass.tekno.chalmers.se/dp03-17/
>
>  From the What-it-is section:
> "...we in the group focused a bit more on how to "invite" the attacker
> and let him/her into
> a fake system, a honeypot. Our honeypot is a single computer, faking
> many computers, with different
> computers, operating systems and routers. This system is supervised via
> a GUI where one can click
> and drag to add computers/routers a visual way. When satisfied a
> configfile will be written and system
> up and running. The backend is a combination of an ids system, with an
> advanced honeypotdeamon,
> lots of virtual filesystems and a log/abuse-function which can mail the
> system administrator when
> something suspicious happens"
>
> Daniel

I'm puzzled by everyone's interest in "fake honeypot" systems. I've run a
couple of them for several years and there is almost NO traffic even
though I have a bunch of email addy's on web pages for spamscrapers to
find.

Running a tarpit as the front end of our mail system catches bunches of
spammers. Why wouldn't you do that instead? It is much more effective and
eliminates the spam from our incoming MTA as well as killing the net
traffic associated with the spam. Since spam outnumbers real messages by
more than 10 to 1 (at least here), this is beneficial.

Michael