Honeypots mailing list archives

Re: logging facility

From: Richard Stevens <mail () richardstevens de>
Date: Thu, 28 Aug 2003 05:58:49 +0200

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,

On Thursday 28 August 2003 02:19, Motayyam79 () aol com wrote:

Fine, but an IDS can be deployed on a network that doesn't have any
production traffic.
What logging facilities does a honeypot use that makes it more stronger
than normal systems?


well, usually you wouldn't capture all traffic with your IDS, of course some 
if not most can be configured to do that. Honeypots in a Honeynet can be 
configured with keyloggers that send out every keystroke on real or virtual 
terminals out into the network to be captured. Normal IDSes wouldn't see 
these. 
Think of honeyd, it can for example be configured to capture worms or simulate 
a certain vulnerability. An IDS would only see the exploitation but it would 
be hard to capture a worm without the simulation of a vulnerable service. 
Once you have the service, your IDS could capture the worm propagating 
itself. But then you have a honeypot providing the service and only use the 
IDS to capture the data. 

I guess you can do most things that honeypots and honeynets can do with some 
kind of specially configured IDS. The suggested infrastructure for honeynets 
actually uses snort, an IDS, to do the capturing. What makes honeynets 
different from your normal IDS is the way the systems are configured and 
used. As soon as you start using an IDS to see all the things you see with a 
honeynet, differences get blurry. You can then say, my IDS can do everything 
your honeypot/net can do. As an alternative you could say, I use my IDS the 
honeypot way or my IDS is a honeypot/net. 

This point of view actually goes along with the definition of 
honeypots/honeynets being ressources whose value lies in being probed, 
attacked and compromised (I know, that's the old one). It never says it's 
different from an IDS or which technology should be used to get there. 
Therefore there is no contradiction in reaching the goals with creative usage 
of an IDS. 

If you start thinking about IPSes, it get's even more blurry since some of the 
IPSes that are around actually act like honeypots by giving out false answers 
to requests (honeytokens) and tracking the usage to block access. 

Hope that helped a little to answer your question.

Regards,

Richard

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)

iD8DBQE/TX35CfA4EwqVdIQRAo3bAKC2pmhcFR1rhoYQmDSMFqwCwlHoLwCeO+nT
ZqwxC5zisRwroPQV1Xgq76Y=
=Covv
-----END PGP SIGNATURE-----

Current thread:

logging facility Motayyam79 (Aug 27)
- Re: logging facility Valdis . Kletnieks (Aug 27)
  - Re: logging facility George Washington Dunlap III (Aug 27)
- Re: logging facility Floydman (Aug 27)
- <Possible follow-ups>
- Re: logging facility Motayyam79 (Aug 27)
  - Re: logging facility Richard Stevens (Aug 28)
  - Re: logging facility KeyFocus (Aug 28)
    - Re: logging facility Floydman (Aug 28)
  - Re: logging facility Floydman (Aug 28)
- Re: logging facility Motayyam79 (Aug 28)
  - Re: logging facility KeyFocus (Aug 28)
    - Re: logging facility urbn (Aug 29)
    - Re: logging facility KeyFocus (Aug 29)
  - Re: logging facility Valdis . Kletnieks (Aug 28)
  - Re: logging facility Edward Balas (Aug 29)
- Re: logging facility Peter Bates (Aug 28)

(Thread continues...)