Honeypots mailing list archives
Re: logging facility
From: "KeyFocus" <support () keyfocus net>
Date: Thu, 28 Aug 2003 09:42:24 +0100
Fine, but an IDS can be deployed on a network that doesn't have any production traffic.
By exposing vulnerabilities a honeypot will generate a lot more interesting traffic than the basic scans you would get with this set up.
What logging facilities does a honeypot use that makes it more stronger
than
normal systems?
An IDS that logs everything is as strong as you can get in terms of the data
captured.
However there a number of additional benefits a honeypot can bring such as:
Fragmentation attacks can be easily combined into their correct
sequence.
Multiple packets that make up a session can be combined and logged
together making it much easier to analyse than dozens of separate packets
scattered accross an IDS log.
Encrypted traffic such as that to an SSL web server can be decrypted and
logged.
- Tom
www.keyfocus.net
Current thread:
- logging facility Motayyam79 (Aug 27)
- Re: logging facility Valdis . Kletnieks (Aug 27)
- Re: logging facility George Washington Dunlap III (Aug 27)
- Re: logging facility Floydman (Aug 27)
- <Possible follow-ups>
- Re: logging facility Motayyam79 (Aug 27)
- Re: logging facility Richard Stevens (Aug 28)
- Re: logging facility KeyFocus (Aug 28)
- Re: logging facility Floydman (Aug 28)
- Re: logging facility Floydman (Aug 28)
- Re: logging facility Motayyam79 (Aug 28)
- Re: logging facility KeyFocus (Aug 28)
- Re: logging facility urbn (Aug 29)
- Re: logging facility KeyFocus (Aug 29)
- Re: logging facility KeyFocus (Aug 28)
- Re: logging facility Valdis . Kletnieks (Aug 28)
- Re: logging facility Edward Balas (Aug 29)
- Re: logging facility Valdis . Kletnieks (Aug 27)
- Re: logging facility Peter Bates (Aug 28)
- Re: logging facility Ryan Barnett (Aug 29)