Honeypots mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Honeypot Defintion - Almost There!

From: "David Gillett" <gillettdavid () fhda edu>
Date: Fri, 23 May 2003 09:07:29 -0700
Marc Dacier wrote:


I'll be a little bit provocative ... no offense please, 
I'm trying to get things moving  :-}  


  I hope you'll accept this response in the same spirit.


For instance,  suppose that I install a honeypot behind my 
firewall where it should -hopefully- see nothing. I don't 
want to use that honeypot to monitor anything but, instead, 
to be a simplistic intrusion detection system. My policy 
states that, as soon as a single packet reaches the honeypot, 
my network must be disconnected from the internet because 
something is wrong with the firewall  (ok, it's a silly 
example and a rather stupid reaction but bare with me :-)   ).

Based on this "usage", is this "information system resource" 
a honeypot ? I would tend to say yes but your definition 
leads me to believe that you would say no.  


  If all you use the system for is a *tripwire*, I can only see
one value-add in calling it a "honeypot":  You may need to get 
funding approval from someone whose whole knowledge of honeypots 
is that "they're the latest cool security technology".  That's 
a purely local problem, not something the rest of the
world has to cope with....

  Based on your usage above, I'd say that the definition you're
really suggesting is something like

  A honeypot is an information resource that incorporates 
  elements whose creators intended them to be used as part
  of something called a "honeypot", regardless of how that
  resource is actually used in any particular instance.

A functional definition can only really be based on one or both
of two criteria:

  (a) what it does

  (b) what we do with it

If you cut away those supports, then it just means what the speaker
chooses it to mean at any given moment.

David Gillett
Previous By Date Next
Previous By Thread Next

Current thread: