Honeypots mailing list archives
Re: logging facility
From: "Peter Bates" <Peter.Bates () lshtm ac uk>
Date: Thu, 28 Aug 2003 11:03:52 +0100
Hello all...
<Motayyam79 () aol com> 28/08/03 01:19:09 >>> Fine, but an IDS can be deployed on a network that doesn't have any production traffic. What logging facilities does a honeypot use that makes it more stronger than normal systems?
As others have mentioned, part of the 'unique selling points' of honeypots are that you can monitor down to the system level itself, possibly using things like UML/VMware, or solutions like Sebek. An IDS, even on a network with no production traffic (and hence a reduction in the amount of 'traffic' you have to analyze) will still not necessarily capture key strokes from a compromised SSH server, or IRC over SSL... you'll see 'traffic', but not get the added benefit of being able to potentially see things from the 'outside in'. ... ---------------------------------------------------------------------------------------------------> Peter Bates, Systems Support Officer, Network Support Team. London School of Hygiene & Tropical Medicine. Telephone:0207-958 8353 / Fax: 0207- 636 9838
Current thread:
- Re: logging facility, (continued)
- Re: logging facility Richard Stevens (Aug 28)
- Re: logging facility KeyFocus (Aug 28)
- Re: logging facility Floydman (Aug 28)
- Re: logging facility Floydman (Aug 28)
- Re: logging facility Motayyam79 (Aug 28)
- Re: logging facility KeyFocus (Aug 28)
- Re: logging facility urbn (Aug 29)
- Re: logging facility KeyFocus (Aug 29)
- Re: logging facility KeyFocus (Aug 28)
- Re: logging facility Valdis . Kletnieks (Aug 28)
- Re: logging facility Edward Balas (Aug 29)
- Re: logging facility Peter Bates (Aug 28)
- Re: logging facility Ryan Barnett (Aug 29)