Honeypots mailing list archives
Re: logging facility
From: Richard Stevens <mail () richardstevens de>
Date: Thu, 28 Aug 2003 05:58:49 +0200
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi, On Thursday 28 August 2003 02:19, Motayyam79 () aol com wrote:
Fine, but an IDS can be deployed on a network that doesn't have any production traffic. What logging facilities does a honeypot use that makes it more stronger than normal systems?
well, usually you wouldn't capture all traffic with your IDS, of course some if not most can be configured to do that. Honeypots in a Honeynet can be configured with keyloggers that send out every keystroke on real or virtual terminals out into the network to be captured. Normal IDSes wouldn't see these. Think of honeyd, it can for example be configured to capture worms or simulate a certain vulnerability. An IDS would only see the exploitation but it would be hard to capture a worm without the simulation of a vulnerable service. Once you have the service, your IDS could capture the worm propagating itself. But then you have a honeypot providing the service and only use the IDS to capture the data. I guess you can do most things that honeypots and honeynets can do with some kind of specially configured IDS. The suggested infrastructure for honeynets actually uses snort, an IDS, to do the capturing. What makes honeynets different from your normal IDS is the way the systems are configured and used. As soon as you start using an IDS to see all the things you see with a honeynet, differences get blurry. You can then say, my IDS can do everything your honeypot/net can do. As an alternative you could say, I use my IDS the honeypot way or my IDS is a honeypot/net. This point of view actually goes along with the definition of honeypots/honeynets being ressources whose value lies in being probed, attacked and compromised (I know, that's the old one). It never says it's different from an IDS or which technology should be used to get there. Therefore there is no contradiction in reaching the goals with creative usage of an IDS. If you start thinking about IPSes, it get's even more blurry since some of the IPSes that are around actually act like honeypots by giving out false answers to requests (honeytokens) and tracking the usage to block access. Hope that helped a little to answer your question. Regards, Richard -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (GNU/Linux) iD8DBQE/TX35CfA4EwqVdIQRAo3bAKC2pmhcFR1rhoYQmDSMFqwCwlHoLwCeO+nT ZqwxC5zisRwroPQV1Xgq76Y= =Covv -----END PGP SIGNATURE-----
Current thread:
- logging facility Motayyam79 (Aug 27)
- Re: logging facility Valdis . Kletnieks (Aug 27)
- Re: logging facility George Washington Dunlap III (Aug 27)
- Re: logging facility Floydman (Aug 27)
- <Possible follow-ups>
- Re: logging facility Motayyam79 (Aug 27)
- Re: logging facility Richard Stevens (Aug 28)
- Re: logging facility KeyFocus (Aug 28)
- Re: logging facility Floydman (Aug 28)
- Re: logging facility Floydman (Aug 28)
- Re: logging facility Motayyam79 (Aug 28)
- Re: logging facility KeyFocus (Aug 28)
- Re: logging facility urbn (Aug 29)
- Re: logging facility KeyFocus (Aug 29)
- Re: logging facility KeyFocus (Aug 28)
- Re: logging facility Valdis . Kletnieks (Aug 28)
- Re: logging facility Edward Balas (Aug 29)
- Re: logging facility Valdis . Kletnieks (Aug 27)
- Re: logging facility Peter Bates (Aug 28)