Honeypots mailing list archives

Re: Honeypot Defintion - Almost There!

From: Marc Dacier <marc.dacier () eurecom fr>
Date: Fri, 23 May 2003 17:05:30 +0200

Lance,

let me follow up on Volker's remark and also on what Fabien and Dave wrotea few days ago.

I'll be a little bit provocative ... no offense please, I'm trying to getthings moving :-}


At 09:30 23/05/2003 -0500, you wrote:

Okay folks, attempting to define what a honeypot is has
been extremely interesting (and challenging).
[...]
Based on the feedback we have gotten over the past week,
it looks like Option B was the preferred option.  That
definition is as follows.

   "A honeypot is an information system resource who's
    value lies in monitoring unauthorized or illicit use
    of that resource"



if I say
"the definition of a honeypot is a sentence who's value lies
in getting a consensus in the honeypots mailing list",

I'm sure that you will agree with me that this is certainly not a gooddefinition of the "definition of a honeypot".

Similarly, you should agree that your sentence can not be taken as adefinition of a honeypot.


Instead, it is a good sentence to let people understand

*what we do with honeypots*, *why we need honeypots*, *why they should payfor honeypots*,

but not
*what honeypots are*.

In other words, this is a definition of honeypots usage, not of honeypotsper se.

As long as we keep focusing on the usage, we will have an endless debatesince every new usage could lead to a new definition..

For instance, suppose that I install a honeypot behind my firewall whereit should -hopefully- see nothing. I don't want to use that honeypot tomonitor anything but, instead, to be a simplistic intrusion detectionsystem. My policy states that, as soon as a single packet reaches thehoneypot, my network must be disconnected from the internet becausesomething is wrong with the firewall (ok, it's a silly example and arather stupid reaction but bare with me :-) ).

Based on this "usage", is this "information system resource" a honeypot ? Iwould tend to say yes but your definition leads me to believe that youwould say no.

Can't we come up with a definition that does not take the usage intoaccount at all ?

Since this is the preferred option of the two, this is
what we will go with.


Mmmmm ... the least worst of the two 'definitions' does not make a good one :-)

Reactions, remarks ?

Cheers,
Marc

Current thread:

RE: Moving forward with defintion of honeypots, (continued)
- RE: Moving forward with defintion of honeypots Fabien Pouget (May 21)
- Honeypot Defintion - Almost There! Lance Spitzner (May 23)
  - Re: Honeypot Defintion - Almost There! Volker Tanger (May 23)
    - Re: Honeypot Defintion - Almost There! Tora (May 23)
  - Re: Honeypot Defintion - Almost There! Richard La Bella (Florida Honeynet) (May 23)
  - Re: Honeypot Defintion - Almost There! Steve Barnet (May 23)
  - Re: Honeypot Defintion - Almost There! Jack McCarthy (May 23)
    - Re: Honeypot Defintion - Almost There! Valdis . Kletnieks (May 23)
  - Re: Honeypot Defintion - Almost There! Erik S. Johansen (May 23)
    - Re: Honeypot Defintion - Almost There! Jon Price (May 25)
- Message not available
  - Re: Honeypot Defintion - Almost There! Marc Dacier (May 23)
    - Re: Honeypot Defintion - Almost There! Valdis . Kletnieks (May 23)
    - RE: Honeypot Defintion - Almost There! David Gillett (May 23)
- Re: Moving forward with defintion of honeypots Bill McCarty (May 24)
  - Re: Moving forward with defintion of honeypots Scarecrow (May 24)
- Re: Moving forward with defintion of honeypots nigel (May 20)
- RE: Moving forward with defintion of honeypots SRH-Lists (May 20)
- RE: Moving forward with defintion of honeypots Thomas,Richard (May 20)
- RE: Moving forward with defintion of honeypots Colm Murphy (May 20)
- RE: Moving forward with defintion of honeypots Gonzalez, Albert (May 20)
- RE: Moving forward with defintion of honeypots eohlson (May 21)