Re: Introducing the Tactical Honeynet Deployment Project

[Damian Menscher <menscher () uiuc edu>]

On Mon, 1 Sep 2003 Valdis.Kletnieks () vt edu wrote:
> On Mon, 01 Sep 2003 08:00:12 PDT, Greg Tracy <greg () sixx com>  said:
>
> > And a good honeypot should look like a production server to pull them
> > away from the true targets, right? I would think that df and ps should
> > turn up exactly what would look right for the machine it's supposed to
> > be. Or am I way off base?
>
> One quick 'df' tells me if I'm on our production Oracle server or our
> test Oracle server, because the test server has only one terabyte of
> disk on it. Similarly for 'ps'...
>
> It's incredibly time-intensive to make a simulation that really holds
> up - you need to nail 'df' and 'ps'.  You need to fix 'ls'.  Oh, and
> remember 'find'. And 'cd'. And.....
>
> And the worst part is that if you *do* have a honeypot that simulates
> all this, the instant the black hat spots an inconsistency, he *knows*
> it's a honeypot - and his best bet at that point is to drop a
> thermonuclear device and split.

It's probably worth pointing out that this is quite similar to the
role-reversed situation: a sysadmin checking his box to see if it has
been hacked.  You usually get clued in because of something strange in
ps, like a missing process.  Or because find turns up a file that ls
can't see.  The instant you find something like that, the network cable
comes out.

There's a closer connection between honeypots and rootkits than most
people realize....

Damian Menscher
-- 
-=#| Physics Grad Student & SysAdmin @ U Illinois Urbana-Champaign |#=-
-=#| 488 LLP, 1110 W. Green St, Urbana, IL 61801 Ofc:(217)333-0038 |#=-
-=#| 4602 Beckman, VMIL/MS, Imaging Technology Group:(217)244-3074 |#=-
-=#| <menscher () uiuc edu> www.uiuc.edu/~menscher/ Fax:(217)333-9819 |#=-