Honeypots mailing list archives

Re: Question

From: "Tom Wright" <tom () keyfocus net>
Date: Tue, 19 Aug 2003 09:58:53 +0100


Hmm, I'm beginning to think the concept of 'medium' or 'middle'
interaction may be a bad term.  It may be better to just think in
terms of 'low' interaction and 'high' interaction.  Low interaction
being emulated (Specter, KFSensor, Tiny Honeypot), high interaction
being real systems or applications (ManTrap, Honeynets).


The lines between 'medium' and 'low' are becoming more blured when it comes
to classifying products.
It makes sense to distinguish honeypots based on emulations from real
systems, this is a clear line.

However classifying all emulation software as 'low interaction' is a bit
misleading.

For example here is how I would define levels of an SMTP server interaction.
The first three levels can all be done by emulation and of course a real
system can do all four.

Low interaction: Display server banner and allow attacker to attempt to log
on, but reject all user/passwords.
Medium interaction: Allow attacker to log on and send emails to the server.
High interaction: Allow the attacker to use the server to relay mail to
anywhere on the internet.
Very high interaction: Allow attacker complete admin control of the SMTP
server, or to execute a succesful buffer overflow attack.

Maybe we need two distinctions one to say real/emulation and another one to
indicate the level of functionality on offer.


- Tom
http://www.keyfocus.net

Current thread:

Question Motayyam79 (Aug 18)
- Re: Question Richard Stevens (Aug 18)
- Re: Question Lance Spitzner (Aug 18)
  - Re: Question Tom Wright (Aug 19)
- RE: Question Faiz Ahmad Shuja (Aug 18)
- <Possible follow-ups>
- question Motayyam79 (Aug 21)
  - Re: question Sam Varughese (Aug 21)
  - RE: question Faiz Ahmad Shuja (Aug 21)
- RE: question Sergey V. Gordeychik (Aug 21)
- question Motayyam79 (Sep 01)
  - Re: question Valdis . Kletnieks (Sep 01)
- RE: question Nick Duda (Sep 01)