An Idea for Discussion for HoneyView

[Karl Hable <develop () kh-soft de>]

I found one lack when analyzing the data captured from
honeyd. You won't get really an idea who maybe the same
person who visited you. It's not possible to decide
this because providers normally give ip-adresses from a
pool to their dialin-users. These ip-pools often span
more class-C nets. so its often in the dark who comes
from the same origin.

So ... you always do the same ... traceroute the ip and
look from where he comes ... but 5min later your won't
remember.

So .. i got the idea to let a cron-job traceroute all
new ip-adresses an store the routing-information also
in honeyview's database.
Now you were able also to query your visitors by the
rule -> list me all guy's coming over Router
aaa.bbb.ccc.ddd

now you see definitly all guy's coming from the same
dialin-point

and you'll see all ip-adresses a certain dialin-point
has in his bag (after a certain amount oft time)

in a production environmet will this give you the
information for defining filterruls for your firewalls
which ip's you proably completly block

i'm intested what you think of this suggestion

karl hable