Honeypots mailing list archives
Re: Introducing the Tactical Honeynet Deployment Project
From: "Tom Britten" <tomb () antenseven net>
Date: Tue, 2 Sep 2003 12:14:02 -0400
Gangadhar Npk wrote:
- To make the honeypot more of a tactical resource, would, the
possibility of >*learning* from an actual system be feasible.
It may be that this idea might not fall under the purview of honeynets
per se, but I >wanted to know if such a modelling would be possible at all.
Yes such training and learning is possible. My company has been working
on a product for security that does learning/training and protection of
systems. Take a check at www.cylant.com read the white papers to get an
understanding. I was talking to my boss about using our systems in
honeynets/honeypots. This will allow learning and control. Some really get
advantages there.
Chris Benton wrote:
2) Virtual systems I'm really big on setting up Honeypots as virtual systems. VMWare is OK, but User Mode Linux (UML) totally rocks. Jeff Dike has gone to great lengths to make a UML system look like a legit Linux box so its hard for the purp to figure out they've been sandboxed. One of the things I love about this solution is that you control the host system, not the purp, so you end up having the upper hand in the whole thing. This makes it much easier for someone who is not a guru to setup a honeypot and keep control over someone that may know more than they do.
This is a wonderful idea for a number of things, not just control of
your honeypot. One of the pieces that gangadhar mentioned was about
activity. How about using your other honeypots to help create traffic and
activity. You have the ability in either UML or Vmware to run multiple
machines on one physical box.
Don't forget to not only create servers as honeypots, but simply clients
as well. For sometimes they are the only uncontrolled factored that can be
used by a blackhat to wedge themselves in. Let say you have a decent box
sitting there, run a number of client honeypots and use those to create
traffic and activity on your other honeypots. This also makes the server
look all that more real.
Have the design make sense, i.e. don't have clients in your dmz if that
is where your honeypot is located for that will flag it as odd and it will
be ignored. I think you know what I mean. ^_^
Tom Britten
Sr. Systems Engineer
Current thread:
- Re: Introducing the Tactical Honeynet Deployment Project, (continued)
- Re: Introducing the Tactical Honeynet Deployment Project greg (Aug 31)
- Re: Introducing the Tactical Honeynet Deployment Project Valdis . Kletnieks (Sep 01)
- Re: Introducing the Tactical Honeynet Deployment Project Greg Tracy (Sep 01)
- Re: Introducing the Tactical Honeynet Deployment Project Valdis . Kletnieks (Sep 01)
- Re: Introducing the Tactical Honeynet Deployment Project Damian Menscher (Sep 01)
- Re: Introducing the Tactical Honeynet Deployment Project Lance Spitzner (Sep 02)
- Re: Introducing the Tactical Honeynet Deployment Project Valdis . Kletnieks (Sep 01)
- Re: Introducing the Tactical Honeynet Deployment Project greg (Aug 31)
- Re: Introducing the Tactical Honeynet Deployment Project Tom Britten (Sep 01)
- Re: Introducing the Tactical Honeynet Deployment Project Chris Brenton (Sep 02)
- Re: Introducing the Tactical Honeynet Deployment Project Tom Britten (Sep 02)
- Re: Introducing the Tactical Honeynet Deployment Project Chris Brenton (Sep 02)
- Re: Introducing the Tactical Honeynet Deployment Project Tom Britten (Sep 02)
- Re: Introducing the Tactical Honeynet Deployment Project Thomas Jones (Sep 02)
- Re: Introducing the Tactical Honeynet Deployment Project Valdis . Kletnieks (Sep 02)
- Re: Introducing the Tactical Honeynet Deployment Project Valdis . Kletnieks (Sep 01)
- Re: Introducing the Tactical Honeynet Deployment Project Valdis . Kletnieks (Sep 01)
- Re: Introducing the Tactical Honeynet Deployment Project Scott Garman (Sep 02)