Honeypots mailing list archives
Re: Introducing the Tactical Honeynet Deployment Project
From: Damian Menscher <menscher () uiuc edu>
Date: Mon, 1 Sep 2003 12:07:56 -0500 (CDT)
On Mon, 1 Sep 2003 Valdis.Kletnieks () vt edu wrote:
On Mon, 01 Sep 2003 08:00:12 PDT, Greg Tracy <greg () sixx com> said:And a good honeypot should look like a production server to pull them away from the true targets, right? I would think that df and ps should turn up exactly what would look right for the machine it's supposed to be. Or am I way off base?One quick 'df' tells me if I'm on our production Oracle server or our test Oracle server, because the test server has only one terabyte of disk on it. Similarly for 'ps'... It's incredibly time-intensive to make a simulation that really holds up - you need to nail 'df' and 'ps'. You need to fix 'ls'. Oh, and remember 'find'. And 'cd'. And..... And the worst part is that if you *do* have a honeypot that simulates all this, the instant the black hat spots an inconsistency, he *knows* it's a honeypot - and his best bet at that point is to drop a thermonuclear device and split.
It's probably worth pointing out that this is quite similar to the role-reversed situation: a sysadmin checking his box to see if it has been hacked. You usually get clued in because of something strange in ps, like a missing process. Or because find turns up a file that ls can't see. The instant you find something like that, the network cable comes out. There's a closer connection between honeypots and rootkits than most people realize.... Damian Menscher -- -=#| Physics Grad Student & SysAdmin @ U Illinois Urbana-Champaign |#=- -=#| 488 LLP, 1110 W. Green St, Urbana, IL 61801 Ofc:(217)333-0038 |#=- -=#| 4602 Beckman, VMIL/MS, Imaging Technology Group:(217)244-3074 |#=- -=#| <menscher () uiuc edu> www.uiuc.edu/~menscher/ Fax:(217)333-9819 |#=-
Current thread:
- Introducing the Tactical Honeynet Deployment Project Michael Anuzis (Aug 30)
- Re: Introducing the Tactical Honeynet Deployment Project greg (Aug 31)
- Re: Introducing the Tactical Honeynet Deployment Project Valdis . Kletnieks (Sep 01)
- Re: Introducing the Tactical Honeynet Deployment Project Greg Tracy (Sep 01)
- Re: Introducing the Tactical Honeynet Deployment Project Valdis . Kletnieks (Sep 01)
- Re: Introducing the Tactical Honeynet Deployment Project Damian Menscher (Sep 01)
- Re: Introducing the Tactical Honeynet Deployment Project Lance Spitzner (Sep 02)
- Re: Introducing the Tactical Honeynet Deployment Project Valdis . Kletnieks (Sep 01)
- Re: Introducing the Tactical Honeynet Deployment Project greg (Aug 31)
- Re: Introducing the Tactical Honeynet Deployment Project Tom Britten (Sep 01)
- Re: Introducing the Tactical Honeynet Deployment Project Chris Brenton (Sep 02)
- Re: Introducing the Tactical Honeynet Deployment Project Tom Britten (Sep 02)
- Re: Introducing the Tactical Honeynet Deployment Project Chris Brenton (Sep 02)
- Re: Introducing the Tactical Honeynet Deployment Project Tom Britten (Sep 02)
- Re: Introducing the Tactical Honeynet Deployment Project Thomas Jones (Sep 02)
- Re: Introducing the Tactical Honeynet Deployment Project Valdis . Kletnieks (Sep 02)
- <Possible follow-ups>
- Re: Introducing the Tactical Honeynet Deployment Project Jeremy Pierson (Sep 01)