Honeypots mailing list archives
Re: Honey VS Vinegar
From: Valdis.Kletnieks () vt edu
Date: Wed, 27 Oct 2004 16:52:26 -0400
On Wed, 27 Oct 2004 16:30:10 EDT, Polazzo Justin said:
If you give the IP a DNS entry, the (google/altavista/lycos)bots try and index your IIS/Apache honeypot and you get a false alarm, even though the nicer ones may turn around after a robots.txt is found the traffic is recorded.
I'm not at all sure that just giving it a DNS entry will cause that behavior. For starters, the bots can't find it unless you're silly enough to allow DNS AXFR from random sites. I'm pretty sure you need to "seed" it with a followable reference to get them to find it.
Does this compromise the integrity of your honeypot?
Depends on what you define as "integrity". Merely getting indexed by a googlebot shouldn't compromise the actual security integrity of the machine - if it did, every webserver out there would be blocking the Google bot IP address range.. ;) Whether it impacts your *results* because the server is more visible is another story entirely.
Is this entrapment? Will you only observe known exploits through this type of lure?
Depends. Does your threat model assume that a non-script-kiddie is going to want to possibly lose that 0-day he's been using to get into sites?
I know how I feel (1: Ignore the searchbots, 2: Entrapment? they shouldn't be trying to compromise servers via Google so go ahead and 3:
More importantly - they aren't *compromising* the server via Google, any more than if I call you on the phone and get you to buy into a scam, I compromised you via the phone book. The only thing that Google is providing is a pointer to machines that can be compromised.
Even known exploits can make room for nice code storage), but was wondering what conclusions others have reached, and more importantly: To those who automatically publish their logs: How do you automagically clean all of this up?
find /path -mtime +30 -exec rm {} \; works wonders. ;)
Attachment:
_bin
Description:
Current thread:
- Honey VS Vinegar Polazzo Justin (Oct 27)
- Re: Honey VS Vinegar Valdis . Kletnieks (Oct 27)
- <Possible follow-ups>
- Re: Honey VS Vinegar the rxmr (Oct 27)
- Re: Honey VS Vinegar Jeff Bryner (Nov 01)
- AW: Honey VS Vinegar Stephan Riebach (Nov 02)
- Re: AW: Honey VS Vinegar Adam Graham (Nov 02)
- RE: Honey VS Vinegar lubomir nistor (Nov 02)
- Re: Honey VS Vinegar Jeff Bryner (Nov 01)