Honeypots mailing list archives
Re: Question about Dynamic Honeypots.
From: "Jack Whitsitt (jofny)" <seclists () violating us>
Date: Mon, 22 Sep 2003 14:34:33 -0500
They key problem with the question and the answers is the word "all". There are no firewalls, no IDS systems, and no other <fill in the blank> security products that will find and/or deal with all hostile traffic. There are also no solutions that don't make mistakes. So, that being said, there are solutions available - commercial and open source - that use IDS systems to redirect traffic to honeypots based on policy. No, these should not be used as blanket solutions. Yes, there are situations where you have a)Stable and *fairly* homgenous traffic patterns where IDS can with very few false positives find bad traffic and b)A need to do further analysis of an attack that a firewall or IDS can provide (specific examples would be to watch behavior in encrypted traffic streams, to determine goals and motivation of an attack, or even to determine if there is something more serious going on than your signature picked up on). These systems are hard to maintain and should be used in very specific situations - but there is a need and use for them. * Bait and Switch Honeypot System does it (out of date, but easy to hack on to newer Snort versions) * Hogwash * and look for a commercial router company (dont remember the same) out of Europe (Belgium?) that does this as well. -Jack (Im not looking for comments on the solutions - just presenting them as evidence that they exist) ----- Original Message ----- From: "Richard Stevens" <mail () richardstevens de> To: "Mahdi samadi" <samadi () cabinet amnafzar com>; <honeypots () securityfocus com> Sent: Monday, September 22, 2003 2:13 PM Subject: Re: Question about Dynamic Honeypots. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi,
I have also another question? i think that there will be another feature for future honeypot/nets, they must plug into networks and attract all anomaly/malicous traffics to ourself. At the least it must redirect the attacks traffic to itself. I am be so
this sounds interesting but why would you want to do that....The identification has to be 100% accurate, otherwise you'd interfere with production traffic --> not good and probably worse than a few attacks coming through since not all attacks do work. All this would have to work without being detectable, which sounds quite hard to do. I wonder, if you actually found a way to identify malicious traffic with a precision that high, why not simply block it and leave a honeynet in a classic way to cope with the remaining/new attacks for analysis and identification? What exactly would be the goal of the redirection? You already know that the redirected traffic is malicious, you know what it is. Imho you could only learn which combinations of the known traffic are used by attackers. While this could be interesting, you could probably gather all that by analyzing the logs of your firewall or blocking mechanisms. ----- Original Message ----- From: "Richard Stevens" <mail () richardstevens de> To: "Mahdi samadi" <samadi () cabinet amnafzar com>; <honeypots () securityfocus com> Sent: Monday, September 22, 2003 2:13 PM Subject: Re: Question about Dynamic Honeypots. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi,
I have also another question? i think that there will be another feature for future honeypot/nets, they must plug into networks and attract all anomaly/malicous traffics to ourself. At the least it must redirect the attacks traffic to itself. I am be so
this sounds interesting but why would you want to do that. I suppose you are thinking about a honeynet placed somewhere near production machines, not a seperate installation independant of production. Now, to redirect all malicious traffic, you'd have to identify it first. Otherwise there's nothing to redirect. The identification has to be 100% accurate, otherwise you'd interfere with production traffic --> not good and probably worse than a few attacks coming through since not all attacks do work. All this would have to work without being detectable, which sounds quite hard to do. I wonder, if you actually found a way to identify malicious traffic with a precision that high, why not simply block it and leave a honeynet in a classic way to cope with the remaining/new attacks for analysis and identification? What exactly would be the goal of the redirection? You already know that the redirected traffic is malicious, you know what it is. Imho you could only learn which combinations of the known traffic are used by attackers. While this could be interesting, you could probably gather all that by analyzing the logs of your firewall or blocking mechanisms. Please don't get me wrong, the idea sounds interesting but I'm probably not imaginative enough to get ideas about what benefit you'd get. Since you already know a lot about the attacks, it seems a bit like watching script kiddies but with a lot more work and complexety to achieve this. Regards, Richard -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (GNU/Linux) iD8DBQE/b0nsCfA4EwqVdIQRAvWPAKCLf6cm1Ad30RZ+K/m+SHYOR9nSRQCeJ3yK fyOtcVrtsorNruZbw6j7eg0= =aZmb -----END PGP SIGNATURE-----
Current thread:
- Question about Dynamic Honeypots. Mahdi samadi (Sep 22)
- Re: Question about Dynamic Honeypots. Patrick Dolan (Sep 22)
- Re: Question about Dynamic Honeypots. Richard Stevens (Sep 22)
- Re: Question about Dynamic Honeypots. Jack Whitsitt (jofny) (Sep 22)
- Project: Multiple service-instances on single h-pot Daniel Roth (Sep 22)
- Re: Project: Multiple service-instances on single h-pot oudot (Sep 22)
- Re: Project: Multiple service-instances on single h-pot Daniel Roth (Sep 22)
- Re: Project: Multiple service-instances on single h-pot oudot (Sep 22)
- Re: Question about Dynamic Honeypots. Plamen Tonev (Sep 22)
- Re: Question about Dynamic Honeypots. oudot (Sep 22)