Honeypots mailing list archives
Usefulness of low-interaction honeypots.
From: Kostas K <acezerocool () yahoo com>
Date: 5 Sep 2003 12:20:08 -0000
Hi list, I am currently working on a project. The project is divided in three parts/experiments. -Deployment of a low interaction honeypot -Deployment of a high interaction honeypot -Deployment of a honeynet Most of you know the pros and cons of low-interaction honeypots. I have finished with the first one and i have reached to some conclusions. Low risk "low" results. Meaning that low-interaction honeypots are in a way useless. The reason for saying that is even if you are attacked you can't harvest enough data in order to understand their 'modus operandi' (style of work, type of attack, etc.). Maybe you get attackers' ip addresses but this is never enough, thus it's useless too, because: Did it harm your system? No, how could be it's a fake service, it's a fake O/S etc. seems to be a reasonable answer!!! Since, how can accuse someone that did not harm your system?
From a homemade low interaction to a commercial one is difficult to
harvest enough, hence there is a high possibility of being exposed to the attacker. In case the attacker is aware of TCP/IP signatures and can work with snort or Tcpdump then he/she will probably realise what's behind the scenes. It's really what they say 'sit back and relax' while you are under attack, however there in nothing much you can do. This is the real problem with low-interaction honeypots. As soon as i finish with the second experiment i will post my opinion for those as well. Besides i am only expressing an opinion nothing more! Because is a research based project for my dissertation i read much about honeypots and honeynets but i believe few. I am trying to discover on my own what's going on. The only thing i can rely is the way a honeypot can be built, maintained and deployed but again you can improvise, which seems to be the best. Regards Kostas
Current thread:
- Usefulness of low-interaction honeypots. Kostas K (Sep 05)
- RE: Usefulness of low-interaction honeypots. John C. Silvia (Sep 05)
- <Possible follow-ups>
- Re: Usefulness of low-interaction honeypots. Kostas K (Sep 06)
- RE: Usefulness of low-interaction honeypots. John C. Silvia (Sep 06)
- Re: Usefulness of low-interaction honeypots. Kostas K (Sep 07)
- Re: Usefulness of low-interaction honeypots. Lance Spitzner (Sep 07)
- Re: Usefulness of low-interaction honeypots. Kostas K (Sep 08)
- Re: Usefulness of low-interaction honeypots. raymond (Sep 08)
- RE: [inbox] Re: Usefulness of low-interaction honeypots. Curt Purdy (Sep 08)
- RE: Usefulness of low-interaction honeypots. John C. Silvia (Sep 08)
- Re: Usefulness of low-interaction honeypots. raymond (Sep 08)
- Re: Usefulness of low-interaction honeypots. Kostas K (Sep 09)