Re: logging facility

[Floydman <floydman () iquebec com>]

At 04:42 AM 28/08/2003, KeyFocus wrote:

> > Fine, but an IDS can be deployed on a network that doesn't have any
> > production traffic.
>
> By exposing vulnerabilities a honeypot will generate a lot more interesting
> traffic than the basic scans you would get with this set up.
>
> > What logging facilities does a honeypot use that makes it more stronger
> than
> > normal systems?
> >
>
> An IDS that logs everything is as strong as you can get in terms of the data
> captured.
>
> However there a number of additional benefits a honeypot can bring such as:
>
>     Fragmentation attacks can be easily combined into their correct
> sequence.
>     Multiple packets that make up a session can be combined and logged
> together making it much easier to analyse than dozens of separate packets
> scattered accross an IDS log.
>     Encrypted traffic such as that to an SSL web server can be decrypted and
> logged.
>
> - Tom
> www.keyfocus.net

All true, but then again, this is all possible because you don't have to 
filter the "good" traffic out of the "bad" traffic.  Since all the traffic 
is bad, you can capture it all and then perform advanced analysis on it, 
which would be harder to achieve with the same accuracy on a prod network.

My 2 cents

Floydman