Honeypots mailing list archives

RE: Gen I or Gen II

From: Richard-LaBella <RLaBella () OfficeDepot com>
Date: Mon, 10 Feb 2003 09:45:18 -0500

Richard,

The South Florida Honeynet Project has been running GenII data control for
more than six months. 

We wrote a paper that might answer some of your questions to help you get
started. 

http://www.sfhn.org/whites/gen2.html 

GenII data control (Snort-Inline to be more specific) has been very reliable
for us so far. 

Best of luck!

Richard La Bella

-----Original Message-----
From: Richard Stevens [mailto:mail () richardstevens de] 
Sent: Saturday, February 08, 2003 10:09 AM
To: honeypots () securityfocus com
Subject: Gen I or Gen II

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,

I'm planing to set up a honeynet to gather information for my thesis. I read

most of the documentation provided on honeynet.org and also the books "Know 
your Enemy" and "Honeypots - Tracking Hackers". From what I learned Gen I
ist 
considered the older but reliable way to do things compared to Gen II being 
the more advanced and supposedly easier way to achieve data control. 

In the answer to a rejected mail, Lance Spitzner "HIGHLY recommends" looking

into Gen II Honeynets. Gen II definately sounds a lot better in various
terms 
but the low version numbers on some of the tools make me question wether 
those utilities are ready for prime time yet. I'm no complete newby with 
Linux firewalls and for example snort and I'm confident I'd be able to set
up 
a honeynet but having to work around serious problems with the used tools 
might still break my neck. 

I'm wondering, are Gen II Honeynets in production right now? What are your 
experiences. Do they work well? What would you suggest to someone building 
his first honeynet, Gen I or Gen II or a mixture? Anything you encountered 
that I should definately read, check out, keep in mind?

One other thing, I tried to find a way to search and read the older posts on

this list, since I only recently subscribed. The securityfocus webinterface 
is close to unusable. It's extremely slow to access from germany and due to 
missing threads not that easy to use. I tried to search on the net for an  
alternative but wasn't sucessful up to now. 

Thanks a lot,

Richard
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iD8DBQE+RR2hWQvEMJfcXlQRAtpmAJ966J5vz1dxSMwAQcZgvf+J47kWQgCgnWFG
w3zo55y1/A12UcNrKuIa5Iw=
=H9Y0
-----END PGP SIGNATURE-----

Current thread:

Gen I or Gen II Richard Stevens (Feb 08)
- Re: Gen I or Gen II george chamales (Feb 08)
  - Re: Gen I or Gen II Richard Stevens (Feb 08)
- <Possible follow-ups>
- RE: Gen I or Gen II Richard-LaBella (Feb 10)