FW: Honeypots: Uses and Features

["Luc Somers" <luc () salesint be>]

Log as much as possible, production or not...
Divide the logs into important and non-important events.
Set it up so that it will only notify you of important events,
and if you want to dig deeper, more detailed logs are available too...

Easy enough, and it won't bother you with every pen-test that occurs.

Luc Somers (luc () salesint be)
Marketing Assistant
Website Programming & Maintenance

Sales International NV/SA
http://www.salesint.be


-----Original Message-----
From: Larissa Fricker [mailto:lft () netsec ch]
Sent: Tuesday, June 03, 2003 5:02 PM
To: honeypots () securityfocus com
Subject: Re: Honeypots: Uses and Features



How important is logging every connection attempt on every
(closed) port for a production honeypot?

Because it multiplies the number of 'irrelevant' security incidents
and as a result also considerably increases the number of alerts,
I feel that it might cause more bad than good in a production
honeypot, where a low rate of false alerts is paramount.

I realize that the situation is completely different for research setups.

What do you think?

   Lara

--------------------------------------------------------------------
 N E T S E C - Network Security Software
 Web: www.netsec.ch  -  Mail: info () netsec ch
 Munzingerstr. 17A - 3007 Bern - Switzerland
 Phone: +41 313760534 - Fax: +41 313760533
--------------------------------------------------------------------