Usefulness of low-interaction honeypots.

[Kostas K <acezerocool () yahoo com>]

Hi list,

 I am currently working on a project. The project is divided in three 
parts/experiments.
-Deployment of a low interaction honeypot
-Deployment of a high interaction honeypot
-Deployment of a honeynet
Most of you know the pros and cons of low-interaction honeypots.
I have finished with the first one and i have reached to some 
conclusions. Low risk "low" results. Meaning that low-interaction 
honeypots are in a way useless. The reason for saying that is even if you 
are attacked you can't harvest enough data in order to understand 
their 'modus operandi' (style of work, type of attack, etc.). Maybe you 
get attackers' ip addresses but this is never enough, thus it's useless 
too, because: Did it harm your system? No, how could be it's a fake 
service, it's a fake O/S etc. seems to be a reasonable answer!!! Since, 
how can accuse someone that did not harm your system?

> From a homemade low interaction to a commercial one is difficult to 
harvest enough, hence there is a high possibility of being exposed to the 
attacker. In case the attacker is aware of TCP/IP signatures and can work 
with snort or Tcpdump then he/she will probably realise what's behind the 
scenes.
It's really what they say 'sit back and relax' while you are under 
attack, however there in nothing much you can do. This is the real 
problem with low-interaction honeypots. 

As soon as i finish with the second experiment i will post my opinion for 
those as well. Besides i am only expressing an opinion nothing more!
 Because is a research based project for my dissertation i read much 
about honeypots and honeynets but i believe few. I am trying to discover 
on my own what's going on. The only thing i can rely is the way a 
honeypot can be built, maintained and deployed but again you can 
improvise, which seems to be the best.


Regards

Kostas