Re: logging facility

[George Washington Dunlap III <dunlapg () umich edu>]

On Wed, 27 Aug 2003 Valdis.Kletnieks () vt edu wrote:

> On Wed, 27 Aug 2003 13:36:34 EDT, Motayyam79 () aol com  said:
>
> > what makes the logging capability on honeypots far stronger than normal 
> > systems like IDS?
>
> First off, I'm not at all convinced that the logging capability *itself* is any stronger.
> If it was, the IDS could just use the stronger capability itself.

Also, the fact that there's less traffic at all to log, means that you can 
more feasibly record more things.  For instance, it may be infeasible / 
undesirable to log all tty input and all shell commands on a real system 
-- either because there's just too much or it wouldn't be useful anwyay, 
or because the employees don't like the "Big Brother" aspect of having 
everything they do logged.  But on a honeypot, there should be a lot less 
traffic, a little extra overhead is perfectly acceptable, and you are 
explicitly trying to be a "Big Brother".

Plus, if you implement your honeypot in some kind of jail, such as UML or
VMWare, you can have a semi-host-based IDS logging outside the honeypot;  
there it's more secure than if it were inside.

 -George

-- 
+-------------------+----------------------------------------
| dunlapg () umich edu | http://www-personal.umich.edu/~dunlapg 
+-------------------+----------------------------------------
| ...there be many, many ancient systems in the world, and it 
| is the decree of the dreaded god Murphy that thy next 
| employment just might be on one.  While thou sleepest, he 
| plotteth against thee.  Awake and take care.
|   - Henry Spencer, "The Ten Commandments for C Programmers"
+------------------------------------------------------------
| Outlaw Junk Email! Support HR 1748 (www.cauce.org)