Honeypots mailing list archives
Re: logging facility
From: urbn () visi com
Date: Thu, 28 Aug 2003 17:26:59 -0500
What if someone compromised your honeypot, and then monitored any SSL traffic that was decrypted? Common sense would tell me to keep these logs (the decrypted SSL traffic) on a separate system, but then why even have your honeypot decrypt it first. Better off just sending the encrypted packets to the system that will be logging it anyways. Or am I missing something here? Quoting KeyFocus <support () keyfocus net>:
How can encrypted traffic be decrypted with a honeypot?SSL is designed to prevent man in the middle attacks, which is why an IDS cannot examine the traffic. A honeypot is the end point of the SSL traffic so it decrypts it anyway. All thats needed is a means to log it. - Tom www.keyfocus.net
Current thread:
- Re: logging facility, (continued)
- Re: logging facility Valdis . Kletnieks (Aug 27)
- Re: logging facility George Washington Dunlap III (Aug 27)
- Re: logging facility Floydman (Aug 27)
- Re: logging facility Motayyam79 (Aug 27)
- Re: logging facility Richard Stevens (Aug 28)
- Re: logging facility KeyFocus (Aug 28)
- Re: logging facility Floydman (Aug 28)
- Re: logging facility Floydman (Aug 28)
- Re: logging facility Motayyam79 (Aug 28)
- Re: logging facility KeyFocus (Aug 28)
- Re: logging facility urbn (Aug 29)
- Re: logging facility KeyFocus (Aug 29)
- Re: logging facility KeyFocus (Aug 28)
- Re: logging facility Valdis . Kletnieks (Aug 28)
- Re: logging facility Edward Balas (Aug 29)
- Re: logging facility Valdis . Kletnieks (Aug 27)
- Re: logging facility Peter Bates (Aug 28)
- Re: logging facility Ryan Barnett (Aug 29)