Re: Honeyclients info

[Kathy Wang <knwang () synacklabs net>]

Hi all,

To follow up on a previously posted thread...

Just wanted to let you know that I did present on honeyclients at
RECON (http://www.recon.cx) this past Saturday. Overall, the audience
response was very positive - and everyone seemed to have something
to say about honeyclients.

There is now a project page for honeyclient development. It is located
at http://www.honeyclient.org

At that site, you can download the latest honeyclient tarball, and 
join the mailing list for honeyclients. The talk slides are also available
for download.

I look forward to talking with you.

Kathy

On Wed, Apr 20, 2005 at 09:57:18PM -0400, Kathy Wang <knwang () synacklabs net> stated:
> Hi David,
>
> On Wed, Apr 20, 2005 at 07:20:35PM -0500, David Jiménez Domínguez <djdsecurity () gmail com> stated:
> > Hi Kathy!!
> >
> > As I can see, is like looking for attacks  from HTTP, FTP, DNS
> > servers..... (If I'm not wrong)
>
> Yes, you're correct here.
>
> > but, does the idea is to do the scan by itself (like a spider) or
> > while I'm using my web browser?
>
> While you could do it either way, I'm implementing mine as a spider.
>
> > Is it going to report the events to a centralized sever... (may be a
> > honeyserver)?
>
> Right now, there is no centralized server, but it could certainly
> be done that way.
>
> > It looks like a interesting idea... just like dinamic honeypots....
>
> Thanks, and I'm looking forward to seeing what you think when it
> is released.
>
> Kathy
>
> > 2005/4/20, Kathy Wang <knwang () synacklabs net>:
> > > Hi David,
> > >
> > > Saw your message, and thought I should respond...
> > >
> > > I first came up with the concept of honeyclients back in November
> > > of last year, as a way to detect new attacks. As great as the honeypot
> > > technology is, I consider it to be a passive device. This means it
> > > sits on the network, and waits. Many users nowadays are experiencing
> > > attacks from malicious servers, and existing honeypots cannot detect
> > > these types of attacks.
> > >
> > > Honeyclients are the opposite of honeypots. The purpose of a honeyclient
> > > is to go out and hit servers, thus looking for bad stuff. These servers
> > > can serve HTTP or other services such as DNS, FTP, P2P, etc.
> > >
> > > I wrote a whitepaper last year about the types of attacks that can be
> > > detected using honeyclients, and plan on releasing a honeyclient tool
> > > at RECON. Unfortunately, I cannot release the whitepaper at this time.
> > > The honeyclient will be a BSD-licensed HTTP honeyclient, so you'll be
> > > able to try it out for yourself, shortly.
> > >
> > > Kathy
> > >
> > > On Wed, Apr 20, 2005 at 01:09:39PM -0500, David Jiménez Domínguez <djdsecurity () gmail com> stated:
> > > > Hi folks!!!
> > > >
> > > > Do you know what a honeyclient is??
> > > >
> > > > What is the difference between a high-interaction honeypot and a honeyclient?
> > > >
> > > > Do yo have docs about it?
> > > >
> > > > In Recon 2005 there is a speaker (Kathy Wang) who is going to speak
> > > > about it, but I'm not going to be there.... I have seen that some
> > > > honetnet projects are moving to this kind of technology.... but what
> > > > is it?
> > > >
> > > > ------------------
> > > > David.