Honeypots mailing list archives

Re: logging facility

From: urbn () visi com
Date: Thu, 28 Aug 2003 17:26:59 -0500

What if someone compromised your honeypot, and then monitored any SSL traffic 
that was decrypted?  Common sense would tell me to keep these logs (the 
decrypted SSL traffic) on a separate system, but then why even have your 
honeypot decrypt it first. Better off just sending the encrypted packets to the 
system that will be logging it anyways.

Or am I missing something here?

Quoting KeyFocus <support () keyfocus net>:

How can encrypted traffic be decrypted with a honeypot?

SSL is designed to prevent man in the middle attacks, which is why an IDS
cannot examine the traffic.

A honeypot is the end point of the SSL traffic so it decrypts it anyway.
All
thats needed is a means to log it.

- Tom
www.keyfocus.net

Current thread:

Re: logging facility, (continued)
- Re: logging facility Valdis . Kletnieks (Aug 27)
  - Re: logging facility George Washington Dunlap III (Aug 27)
- Re: logging facility Floydman (Aug 27)
- Re: logging facility Motayyam79 (Aug 27)
  - Re: logging facility Richard Stevens (Aug 28)
  - Re: logging facility KeyFocus (Aug 28)
    - Re: logging facility Floydman (Aug 28)
  - Re: logging facility Floydman (Aug 28)
- Re: logging facility Motayyam79 (Aug 28)
  - Re: logging facility KeyFocus (Aug 28)
    - Re: logging facility urbn (Aug 29)
    - Re: logging facility KeyFocus (Aug 29)
  - Re: logging facility Valdis . Kletnieks (Aug 28)
  - Re: logging facility Edward Balas (Aug 29)
- Re: logging facility Peter Bates (Aug 28)
- Re: logging facility Ryan Barnett (Aug 29)