Re: deploying honeypots...

[Barrie Dempster <barrie () reboot-robot net>]

On Sun, 2005-08-21 at 19:24 -0400, Valdis.Kletnieks () vt edu wrote:
> On Sat, 20 Aug 2005 12:41:20 +0300, Ahmed Ameen said:
> > For you first question I would say leave them with no patches, the
> > opjective is to attract the black-hat community.
>
> This is so counter-productive as to be totally nuts.
>
> Last I checked, the DSHield survival-time estimate was sitting around 20-25
> minutes.  Do you *really* want a honeypot that will get whacked twice an hour
> by the worm du jour?

Indeed.

I believe the OP is interested in things other than the 0day. He seems
to have an interest in general exploitation traffic. Another approach to
this, in order to differentiate between the worm and the actual
attacker, is to patch the vulnerabilities that have known worms and
leave a few unpatched vulnerabilities that have known exploits or the
potential for exploits eg... the advisory says "definite DoS, possible
arbitrary code execution".

-- 
With Regards..
Barrie Dempster (zeedo) - Fortiter et Strenue

"He who hingeth aboot, geteth hee-haw" Victor - Still Game

blog:  http://reboot-robot.net
sites: http://www.bsrf.org.uk - http://www.security-forums.com
ca:    https://www.cacert.org/index.php?id=3

Attachment: signature.asc
Description: This is a digitally signed message part

Attachment: smime.p7s
Description: