Re: question (about internal honeypots)

["Peter Bates" <Peter.Bates () lshtm ac uk>]

Hello all...


> <Motayyam79 () aol com> 21/08/03 12:07:36 >>>
> Just one question. Can honeypots be deployed internally in order to
monitor 
> for insider attacks?if so how? 

I'm having a lot of success with this at the moment, using honeyd (and
arpd) on an internal network. I just configured them both to respond to
certain addresses across our /24 networks, and they are proving very
useful in identifying MSBlaster (by opening tcp/135) and similarly
Windows share scanning activity (by also opening tcp/139) ... 

There's an interesting paper about what they've done at Georgia
Institute of Technology at:
http://www.tracking-hackers.com/papers/gatech-honeynet.pdf
...



--------------------------------------------------------------------------------------------------->
Peter Bates, Systems Support Officer, Network Support Team.
London School of Hygiene & Tropical Medicine.
Telephone:0207-958 8353 / Fax: 0207- 636 9838