Honeypots mailing list archives
Re: Profiling threat in honeynet
From: Valdis.Kletnieks () vt edu
Date: Thu, 06 May 2004 13:06:29 -0400
On Wed, 05 May 2004 17:48:59 +0800, dcneting <ansiry () tm net my> said:
What is the importance of profiling threats in a honeynet? Anybody can point something to me..? Im still searching..and still couldn't find any idea about it..
Well... I'm not clear on which sense you mean - are you profiling the threats that you intend to catch, or profiling the threats of running a honeynet? To take on the first issue: You have to decide what your threat model is, in order to build a honeypot to catch that threat. If you're trying to catch the worm-du-jour, you need something that acts like it *isn't* patched and is wide-open vulnerable. If you're hoping to catch anything other than a automated worm or larval-stage script kiddie, you need to harden the honeypot to reject all the background noise from the worms and newbies, so you don't false-positive yourself into missing the attack you're looking for... To take on the second issue: The answer will depend on the answer to the first issue. If you're simply trying to hoover in a worm sample, the worst that can happen is it gets infected and starts trying to replicate, adding 0.000001% to the number of boxes doing it. On the other hand, if your catch-a-black-hat box actually catches a black hat, you may have some serious containment issues... Also, the answer to both questions will also depend on things like your network topology - is the honeypot on the open net, a DMZ, or internal net? Meanwhile, the answer to that depends on the answer to the first two issues.....
Attachment:
_bin
Description:
Current thread:
- Profiling threat in honeynet dcneting (May 05)
- Re: Profiling threat in honeynet Valdis . Kletnieks (May 06)