Honeypots mailing list archives
Re: Q
From: Richard Stevens <mail () richardstevens de>
Date: Mon, 25 Aug 2003 16:52:23 +0200
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi, On Sunday 24 August 2003 00:14, Motayyam79 () aol com wrote:
It is true that honeypots reduce noise and false negatives and solve a lot of the shortcomings that Intrusion detection systems have but isn't that purely because there is no production traffic? If intrusion detection systems were deployed on a network that did not have production traffic, it wouldn't generate a lot of false positives and the volume of information would reduce and would be of high value right?
Correct!
what makes honeypots unique?
At least honeynets also allow you to *completely* analyze any attack, known or unknown. You capture all traffic and if you prepare your target systems accordingly also keypresses and other events. That allows you to also analyze events that your intrusion detection system normally wouldn't capture. You can also analyze preperation to an attack and analyze it accordingly. Of course it all depends on the specific configuration but honeynets offer the possibility to see much more than classic intrusion detection systems. Besides that honeypots are a quite general concept. They can be used in various ways. Think about those spammer trap honeypots that just sit there, accept (relay) a certain amount of test mails but once the big load hits, they don't relay the bulk. I can't think of a way to achieve functionality like that with classic IDSes. Another example are worm traps possibly implemented with honeyd. There might be ways to implement similar functionality by other means of course. This might sound a little cheesey but honeypots/honeynets become unique through the ideas that people implement with the honeypot technology or concept. Regards, Richard -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (GNU/Linux) iD8DBQE/SiKpCfA4EwqVdIQRAoC9AKDNVm5CHnoMoSguFnZevLQOKU704gCcCcBi 5BsZPYXaVP6vT5eplMPZIeA= =raI9 -----END PGP SIGNATURE-----
Current thread:
- Q Motayyam79 (Aug 23)
- Re: Q Richard Stevens (Aug 25)