Honeypots mailing list archives

RE: Moving forward with defintion of honeypots

From: "Gonzalez, Albert" <albert.gonzalez () eds com>
Date: Tue, 20 May 2003 15:15:07 -0400

Honeypots are illusions you weave for the attacker. Though with that said,
I don't think that patching your honeypot to catch the information is
deceptive. 
all my *none* honeypot systems employ similar patches[1] as a security
measure for that
day I might get compromised. My high interaction honeypots are physical
systems
running the real os for the attacker to play with. I haven't held a gun to
his head or 
threaten to kill Ginger making him compromise my box, so I don't know what I
did to deceive him?


 Cheers,
 Alberto Gonzalez

[1] - These patches include having bash log commands to a non-default
location, syslog patches, etc...
        Just in case I get compromised, most "common" trail hiding
techniques will be defeated.

-----Original Message-----
From: Jeremy Bennett [mailto:jeremy_f_bennett () yahoo com] 
Sent: Tuesday, May 20, 2003 1:07 PM
To: Lance Spitzner; honeypots () securityfocus com
Subject: Re: Moving forward with defintion of honeypots

Not sure I agree, Lance. To say you don't do anything 
"special" to lure
attackers to the honeynet is a bit dubious. You attempt to make your
honeypots look as much like real systems as possible. I would 
call that
using deception or artifice to insnare your prey. 
If I'm a duck hunter I make my decoy look as much like a duck as
possible. I don't try to make it look better than a duck. By making
your honeypots look more like real systems you are making your decoys
look like the things your prey seeks.

I understand the desire to move away from the "negative' words like
decoy and deception but the fact is that is exactly what we're doing
and there's nothing wrong with it. I believe decoy is absolutely the
correct term for the honeynet.

There is a question whether a low-interaction honeypot like honeyd
deployed as an early warning system qualifies as a decoy. In this case
it is more akin to a trip wire or doorway sensor than it is 
to a decoy.
However, even in this scenario, we are still attempting to make a
"machine" look as much like a real host as possible. Thus, still a
decoy or a lure. When honeyd logs activity it is just like the
fisherman's lure bobbing in the water. 

As they say "A rose by any other name..."

-J

Current thread:

Re: Honeypot Defintion - Almost There!, (continued)
- - - Re: Honeypot Defintion - Almost There! Jon Price (May 25)
  - Message not available
    - Re: Honeypot Defintion - Almost There! Marc Dacier (May 23)
    - Re: Honeypot Defintion - Almost There! Valdis . Kletnieks (May 23)
    - RE: Honeypot Defintion - Almost There! David Gillett (May 23)
- Re: Moving forward with defintion of honeypots Bill McCarty (May 24)
  - Re: Moving forward with defintion of honeypots Scarecrow (May 24)
- Re: Moving forward with defintion of honeypots nigel (May 20)
- RE: Moving forward with defintion of honeypots SRH-Lists (May 20)
- RE: Moving forward with defintion of honeypots Thomas,Richard (May 20)
- RE: Moving forward with defintion of honeypots Colm Murphy (May 20)
- RE: Moving forward with defintion of honeypots Gonzalez, Albert (May 20)
- RE: Moving forward with defintion of honeypots eohlson (May 21)