Honeypots mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Honeypot / Nessus help

From: Chmielarski TOM-ATC090 <Tom.Chmielarski () motorola com>
Date: Tue, 12 Oct 2004 12:43:34 -0500
Hi Bob.
By posting in the honeypot list I assume you are mostly concerned with that part of your question. Otherwise the 
focus-ids would be a better forum :) But, never the one to concede to the obvious I'll chime in on what others are 
answering - IPS/IDS. 

My advice is to not focus so much on the detection ability of the product. I know, that sounds silly. Seriously though, 
what is important is that the product is _usable_ within your organization. How easy is the management of the 
device(s)? How difficult will it be to monitor or connect to your existing monitoring structure? How stable is it? If 
the product can detect every single exploit within the next five years but is unwieldy and prone to crashing then you 
have wasted your money.  The IDS space is filled with products that have all kind of claims and benchmarks about how 
well they detect the next bad thing.   The IDS engine is the most dynamic part of most of these products (go figure..) 
if the framework around that engine is crap it's likely to stay that way.  

"Ask not what the product can do for you, but what you will do with the product" :)

As far as the testing part of your question I'd suggest using the attack tool once and capturing that with a sniffer.  
Use tcpreplay or similar so you see the exact same activity with every run. If you are testing the IPS part of it then 
use a honeypot on VMWare so you can revert the OS to the same snapshot before every test. 


- Tom Chmielarski
- My views are mine and do not reflect those of my employer


-----Original Message-----
From: Robert McMahon [mailto:bob () intoto com] 
Sent: Friday, September 24, 2004 2:10 PM
To: honeypots () securityfocus com
Subject: Honeypot / Nessus help


Hi,

I'm trying to evaluate an Intrusion Detection/Prevention product which advertises support for thousands of signatures.

I'm thinking of using Nessus and a honeypot to exercise the product. I'm new to the tools/technology and was wondering 
if anybody has opinions on if these are the right tools?  Also, should I use honeyd or some other honeypot?  (My 
initial look at honeyd suggests it is a bit premature, but like I said, I'm a newbie.)

Thanks in advance for any help and tips,

Bob McMahon
Application Engineer
Intoto Inc.
bob () intoto com
Previous By Date Next
Previous By Thread Next

Current thread: