Honeypots mailing list archives
HoneyPot Definition gone wild
From: FRITZ Michael <Michael.FRITZ () nextiraone at>
Date: Mon, 26 May 2003 10:07:04 +0200
Hi Guys & Girls, we´re now coming close to the 100 statements. As we all see - it´s not easy defining a valuable statement. Just a small suggestion: Honeypots are evolving technology Every honeypot is different Honeypots are used for different purposes Based on one´s purpose a honeypot is & will be different for everyone So why are we trying to define something in one or two sentences which can´t be narrowed done so closely, dependend on what purpose somebody is following. gruesse Michi -----Ursprüngliche Nachricht----- Von: Kohlenberg, Toby [mailto:toby.kohlenberg () intel com] Gesendet: Montag, 26. Mai 2003 01:48 An: cta () hcsin net; honeypots () securityfocus com Cc: Lance Spitzner Betreff: RE: Honeypot Defintion - over thinking it. I've seen a number of interesting suggestions and lots of good thoughts but I keep seeing definitions that seem overly complex. Here's my reasoning- you can use a honeypot for lots of things- research, intrusion detection, entertainment (the honeypot drinking game? every time your attacker tries a DOS command on a unix system you have to drink! ), whatever. The question isn't what you're using it for. The question is, how is a honeypot different from any other system on the network? For instance, the definition that has been offered up recently: "A honeypot is an information system resource who's value lies in monitoring unauthorized or illicit use of that resource" is a good start but it doesn't get to the heart of the matter. Any system may have value in monitoring it for unauthorized or illicit activity. The key distinction about a honeypot is that there is _no_ legitimate reason for someone to be on it. Therefore, I submit this definition: "A honeypot is a system or dataset for which there is no legitimate reason for someone to interact with it and therefore _all_ use can be considered unauthorized." I think it really is that simple. What do y'all think? toby
-----Original Message----- From: Bernie, CTA [mailto:cta () hcsin net] Sent: Saturday, May 24, 2003 7:33 AM To: honeypots () securityfocus com Cc: Lance Spitzner Subject: Re: Honeypot Defintion - Almost There, or a new path? I feel Marc's perspective has merit. After pondering the definitions presented thus far, and while considering a simple technical definition of a Computer, i.e., "A device that receives, stores, processes, and presents data in response to commands", I suggest this definition: Honeypot: "An automated computer system for detecting erroneous, unauthorized or illicit use of system resources." As an old embedded system engineer, I decided to include the word "automated" as to infer the implicit use of 5 basic functions of automation: 1. Collection of Information 2. Communication of Information (man-machine, machine- machine) 3. Computation of Information (data logging and data processing) 4. Control of Operations (both human and machine) 5. The logical coordination among the preceding four functions I use the word "detecting" to move away from the user application and *legal* usage, which may include "monitoring". I included the word "erroneous" to express that honeypots may also detect incidents which are not specifically unauthorized or illicit. For example, we deploy a honeypot as a security safeguard - When a legitimat User attempts to login to their website. However, after failing to correctly enter their password more than X times, the User triggers the security safeguard and is automatically redirected to the honeypot to detect if the incident is an erroneous action, unauthorized or illicit. I have used honeypots in this topology for some time and have foud the resource significantly beneficial in design, debug and enhancement of a systems functional utility as well as the user interface of web-based applications. Thoughts? On 23 May 2003, at 17:05, Marc Dacier wrote:Based on this "usage", is this "information system resource" a honeypot ? I would tend to say yes but your definition leads me to believe that you would say no. Can't we come up with a definition that does not take the usage into account at all ?Since this is the preferred option of the two, this is what we will go with.Mmmmm ... the least worst of the two 'definitions' does not make a good one :-) Reactions, remarks ? Cheers, MarcOn 23 May 2003, at 9:30, Lance Spitzner wrote: <snip> "A honeypot is an information system resource who's value lies in monitoring unauthorized or illicit use of that resource" "A honeypot is an information system resource who's value lies in unauthorized or illicit use of that resource" <snip> - - **************************************************** Bernie Chief Technology Architect Chief Security Officer cta () hcsin net Euclidean Systems, Inc. ******************************************************* // "There is no expedient to which a man will not go // to avoid the pure labor of honest thinking." // Honest thought, the real business capital. // Observe> Think> Plan> Think> Do> Think> *******************************************************
Current thread:
- HoneyPot Definition gone wild FRITZ Michael (May 26)