RE: Honeypots: Uses and Features

["Gonzalez, Albert" <albert.gonzalez () eds com>]

This is a method I employ when deploying Honeypots. Though
we also observe the intruders action. I am after steering
him away from my production environment, while at the same
time learning as much as possible from the intruder. Honeypots
shouldn't just be used to attempt to find new exploits. 
They can be used to see what new rootkits are out, what trojans
They are using, etc... Then when they set up shop,
they might start pulling down goodies. Some folks I talk with
are under the impression if what they used to compromise you
isn't *NEW* then there is no point, oh boy are they wrong. 

This is one of the main reasons the Bait N Switch[1] project exists, for
this very scenario. 

 Cheers,
 Alberto Gonzalez

[1] - http://www.violating.us/projects/baitnswitch 

> -----Original Message-----
> From: Lee Brotherston [mailto:lee () nerds org uk] 
> Sent: Tuesday, June 03, 2003 9:31 AM
> To: talisker () networkintrusion co uk
> Cc: Lance Spitzner; honeypots () securityfocus com
> Subject: Re: Honeypots: Uses and Features
>
>
> On Tue, Jun 03, 2003 at 10:04:55AM +0100, Andy Cuff [talisker] wrote:
> > From a production honeypot I'm looking for a heads up 
> similar to an IDS
> > of what an attackers intention might be, without impacting 
> my "real" network.
>
> I think this can be extended a little (unless this somehow warrents a
> category of its own).  I have seen people deploy honeypots not to
> learn or detect anything, but purely to lure the would be attacker
> away from the real network, with what would appear to be an easier
> target.  I'm not so sure this is the best use, but I figured it
> warrented mentioning none the less :)
>
> Thanks
>
>  Lee
>
> -- 
> Lee Brotherston - <lee () nerds org uk>
> Jar Jar Binks Makes The Ewoks Look Like Shaft