Honeypots mailing list archives
Re: HoneyPot Tools
From: Lance Spitzner <lance () honeynet org>
Date: Sat, 3 Jul 2004 10:48:24 -0500
On Jul 3, 2004, at 11:19, Andy Cuff wrote:
Hi Ponder, Great idea to split them up though how about a slight change in the definitions Low interaction no services/ simulated response Medium Interaction Virtual Services (ie detectable to the more advanced attacker) High Interaction (HI)Tools to help control and log output from compromised HI honeypots, as I seea high interaction as a fully fledged host in it's own right.
My recommendation is just to do Low/High interaction honeypots. There are so many different flavors of honeypots today that do so many different things, its very difficult to come up with specific categories for all of them. So, my suggestion is to throw anything that is a port listener or emulates to low interaction, anything that provides real services and applications to high interaction honeypots. About the only thing I would consider 'med' interaction is chroot or jail environments.
What you can do on your website is list the low-interaction honeypots in the order of the interaction. Something like BackOfficerFriendly is the most basic, things like Specter/KFSensor are more interaction, and Honeyd the most, but they are all still low-interaction as they all pretend to be something else.
Defining/categorizing honeypots is still I think one of its biggest challenges :-0
lance
Current thread:
- Re: HoneyPot Tools Javier Fernandez-Sanguino (Jul 01)
- <Possible follow-ups>
- Re: HoneyPot Tools Greg Rayburn (Jul 01)
- Re: HoneyPot Tools Ponder Le Stibbons (Jul 01)
- Re: HoneyPot Tools Andy Cuff (Jul 03)
- Re: HoneyPot Tools Lance Spitzner (Jul 03)
- Re: HoneyPot Tools MrDemeanour (Jul 05)
- Re: HoneyPot Tools Andy Cuff (Jul 03)