Snort mailing list archives
RE: VERY simple 'virtual' honeypot
From: "Ofir Arkin" <ofir () sys-security com>
Date: Sat, 9 Mar 2002 19:30:29 -0000
Ryan, You get to pull the attack of the wire only if they complete it... If they will not get the right response no attack will be performed. If the aim is to generate responses than you need to have a real intelligence engine to produce them in a way the engine itself will not get fingerprinted. Also, it is more interesting, in my opinion, to simulate real world production environment style to Honeynets rather than a virtual one with less functionality. Ofir Arkin [ofir () sys-security com] Founder The Sys-Security Group http://www.sys-security.com PGP CC2C BE53 12C6 C9F2 87B1 B8C6 0DFA CF2D D360 43FA -----Original Message----- From: Ryan Russell [mailto:ryan () securityfocus com] Sent: 09 March 2002 18:48 To: Ofir Arkin Cc: 'Snort-Users (E-mail)'; honeypots () securityfocus com Subject: RE: [Snort-users] VERY simple 'virtual' honeypot On Sat, 9 Mar 2002, Ofir Arkin wrote:
In my opinion it will be missing the main point of a Honeynet.
One that that has been gleaned from the honeypots lists is that there are many possible reasons for running a honeypot.
We all know that we can cut the foreplay pretty fast (scanning,
probing)
and hit the site with an exploit even without the scanning attempt
(read
this in the context :P). But than what? Exploit fails, not much information gained, and we miss the funny part.
One of which is to collect new exploits. As you state, you don't get to watch the attacker operate once they get a shell, but you do get to pull the exploit off the wire. Ryan _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Re: VERY simple 'virtual' honeypot, (continued)
- Re: VERY simple 'virtual' honeypot Frank Knobbe (Mar 08)
- Re: VERY simple 'virtual' honeypot Frank Knobbe (Mar 08)
- Re: VERY simple 'virtual' honeypot James Hoagland (Mar 08)
- Re: VERY simple 'virtual' honeypot George Bakos (Mar 08)
- Re: VERY simple 'virtual' honeypot Martin Roesch (Mar 08)
- Re: VERY simple 'virtual' honeypot Jason Robertson (Mar 09)
- RE: VERY simple 'virtual' honeypot Ofir Arkin (Mar 09)
- Re: VERY simple 'virtual' honeypot Fyodor (Mar 09)
- RE: VERY simple 'virtual' honeypot Dan Hollis (Mar 09)
- RE: VERY simple 'virtual' honeypot Ryan Russell (Mar 09)
- RE: VERY simple 'virtual' honeypot Ofir Arkin (Mar 09)
- RE: VERY simple 'virtual' honeypot Ryan Russell (Mar 09)
- RE: VERY simple 'virtual' honeypot Earthlink (Mar 09)
- RE: VERY simple 'virtual' honeypot Alex Collins (Mar 08)
- RE: VERY simple 'virtual' honeypot Michael Clark (Mar 08)
- Re: RE: VERY simple 'virtual' honeypot Ashley Thomas (Mar 08)
- Re: RE: VERY simple 'virtual' honeypot Ryan Russell (Mar 08)
- Re: RE: VERY simple 'virtual' honeypot Ashley Thomas (Mar 08)
- Re: RE: VERY simple 'virtual' honeypot Frank Knobbe (Mar 08)