Honeypots mailing list archives
An Idea for Discussion for HoneyView
From: Karl Hable <develop () kh-soft de>
Date: 1 May 2003 12:52:39 -0000
I found one lack when analyzing the data captured from honeyd. You won't get really an idea who maybe the same person who visited you. It's not possible to decide this because providers normally give ip-adresses from a pool to their dialin-users. These ip-pools often span more class-C nets. so its often in the dark who comes from the same origin. So ... you always do the same ... traceroute the ip and look from where he comes ... but 5min later your won't remember. So .. i got the idea to let a cron-job traceroute all new ip-adresses an store the routing-information also in honeyview's database. Now you were able also to query your visitors by the rule -> list me all guy's coming over Router aaa.bbb.ccc.ddd now you see definitly all guy's coming from the same dialin-point and you'll see all ip-adresses a certain dialin-point has in his bag (after a certain amount oft time) in a production environmet will this give you the information for defining filterruls for your firewalls which ip's you proably completly block i'm intested what you think of this suggestion karl hable
Current thread:
- An Idea for Discussion for HoneyView Karl Hable (May 01)
- Re: An Idea for Discussion for HoneyView Matt Bruce (May 01)
- Re: An Idea for Discussion for HoneyView Pascal Charest (May 01)
- Re: An Idea for Discussion for HoneyView Valdis . Kletnieks (May 01)