Re: Q

[Richard Stevens <mail () richardstevens de>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,


On Sunday 24 August 2003 00:14, Motayyam79 () aol com wrote:
> It is true that honeypots reduce noise and false negatives and solve a lot
> of the shortcomings that Intrusion detection systems have but isn't that
> purely because there is no production traffic? If intrusion detection
> systems were deployed on a network that did not have production traffic, it
> wouldn't generate a lot of false positives and the volume of information
> would reduce and would be of high value right? 

Correct!

> what makes honeypots unique?

At least honeynets also allow you to *completely* analyze any attack, known or 
unknown. You capture all traffic and if you prepare your target systems 
accordingly also keypresses and other events. That allows you to also analyze 
events that your intrusion detection system normally wouldn't capture. You 
can also analyze preperation to an attack and analyze it accordingly. Of 
course it all depends on the specific configuration but honeynets offer the 
possibility to see much more than classic intrusion detection systems.

Besides that honeypots are a quite general concept. They can be used in 
various ways. Think about those spammer trap honeypots that just sit there, 
accept (relay) a certain amount of test mails but once the big load hits, 
they don't relay the bulk. I can't think of a way to achieve functionality 
like that with classic IDSes. Another example are worm traps possibly 
implemented with honeyd. There might be ways to implement similar 
functionality by other means of course. 

This might sound a little cheesey but honeypots/honeynets become unique 
through the ideas that people implement with the honeypot technology or 
concept.

Regards,

Richard
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)

iD8DBQE/SiKpCfA4EwqVdIQRAoC9AKDNVm5CHnoMoSguFnZevLQOKU704gCcCcBi
5BsZPYXaVP6vT5eplMPZIeA=
=raI9
-----END PGP SIGNATURE-----