Honeypots mailing list archives
Re: Managing Deception
From: ChayoteMu <chayotemu () gmail com>
Date: Tue, 5 Jul 2005 20:31:50 -0700
I'm building a small "wish-list" network plan for myself to use as a testbed and had a similar idea. The way I was thinking of doing this would be to either have an inline machine between your honeynet and the pipe to the Internet, lock that box down and make it transparent to both sides. Then internally use that to block attack traffic going from the honeynet by either diverting it back to a random honeynet host or by simulating a response of some sort. What you could do is either use this idea or just get an invisible server that can only send data to the honeynet. This box searches and generates false information, possibly from a shared source, and automates e-mails and such and then sends the info into the honeynet where the various machines pick up the info and daemons pick up the data and integrate it. With a bit of planning there could be a semi-shared server out that for such machines to connect to that could harvest and generate such data or volunteers could create the information by hand. It would definitely require review of all content, especially the human made content, but could be worth the effort. I don't know of anything that does this already, but would also be interested if someone else does. On 7/5/05, seamus blarnum <crpyt0k1d () yahoo com> wrote:
Greetings, I have some questions for the sticky-crew here. I'm working on a paper on honeynet development for a small-mid sized corporation. The issue I keep coming into is the management of a grouping of dummy systems. Does anyone know of a good commercial product that can simulate user behavior and crawl websites, build or import network documents from a central server to simulate network transfers? I was also wondering if there is a product that could simulate random content emails, by scanning popular "sites of interest" and use site headlines in emails "the packers just won", or "kevin mitnick released a trance album". Just simple stuff that would seam innocuous from a remote listener. Potentially even having a central file server that simulates network traffic by scanning through documents prepared by the deployment team that contains specific information to be relayed through the network? I know it seems like a lot, but I'm sitting here putting this into a moldable mental form. Content is important if these things are going to really be sticky. The low skill of newbs helps them not understand what to seek, but skilled infiltrators are looking for something specific (accounting information, intellectual property, etc). These are the folks we want to get stuck and sit around long enough for us to identify why they're on the box in the first place. Thoughts from the group? Thanks for any pointers, solid comments, or responses. Seamus ____________________________________________________ Sell on Yahoo! Auctions – no fees. Bid on great items. http://auctions.yahoo.com/
-- ChayoteMu "To catch a thief, think like a thief. To catch a master thief, be a master thief."
Current thread:
- Managing Deception seamus blarnum (Jul 05)
- Re: Managing Deception ChayoteMu (Jul 06)