Honeypots mailing list archives

Re: RE: deploying honeypots...

From: "gangadhar npk" <phani () myrealbox com>
Date: Sun, 21 Aug 2005 19:42:56 +0530

Hi,
But as Graeme already pointed out, since all the traffic that is going to hit your honeypot is going to malicious, how 
can you effectively sift the bad from the good.
Logically, there can't be any good traffic heading your way. What you can try though is to sift the bad from the very 
bad traffic and see if a pattern does emerge.
Interestng project, good luck !
my 2 cents worth
gangadhar

-----Original Message-----
From: cyb3rh3b () kecoak or id
To: "Connell, Graeme S" <gconnell () middlebury edu>
Date: Sat, 20 Aug 2005 20:08:08 +0700
Subject: RE: deploying honeypots...

Quoting "Connell, Graeme S" <gconnell () middlebury edu>:

Rasyid,

  The first question is a very good one, and, as with most good questions,
there really isn't a good answer.  If you're looking at how old exploits are
used against unpatched systems, then by all means use older versions of
operating systems and hardware.  However, if you're looking at what attacks
are used against fully-hardened systems, update all your patches and programs
before deploying the honeynet.  Generally, I like to use stuff that's a few
months to a year old, with a few known exploits.


Hm...ok, i decide to use default OS with no patch then :). Thanx...

   Regarding your second question, I'm not entirely sure how you're planning
on using neural networks within your honeynet.  Are you examining traffic and
attempting to determine when an attack occurs?  If so, a honeynet may not be
the best place to train the network, since ALL traffic within a honeynet is
attack traffic (no baseline).  Could you be more specific as to exactly what
part your neural network will play in the honeynet?

        --Graeme Connell


neural network will take an action needed from traffic it read and decide if
those new traffic is dangerous to system, if so then it will disconnect the
connection (well...it's one of the action will be taken).



Rasyid


----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.

Current thread:

Re: deploying honeypots..., (continued)
- - Re: deploying honeypots... cyb3rh3b (Aug 20)
    - Re: deploying honeypots... Ahmed Ameen (Aug 20)
  - Re: deploying honeypots... Valdis . Kletnieks (Aug 21)
    - Re: deploying honeypots... Barrie Dempster (Aug 24)
- RE: deploying honeypots... Connell, Graeme S (Aug 20)
  - RE: deploying honeypots... cyb3rh3b (Aug 20)
    - Re: deploying honeypots... Damiano Bolzoni (Aug 22)
    - Re: deploying honeypots... Valdis . Kletnieks (Aug 22)
    - Re: deploying honeypots... Damiano Bolzoni (Aug 23)
    - Re: deploying honeypots... Valdis . Kletnieks (Aug 24)
- Re: RE: deploying honeypots... gangadhar npk (Aug 21)
  - RE: RE: deploying honeypots... Chen Zhang (Aug 21)
  - Re: RE: deploying honeypots... Barrie Dempster (Aug 24)
    - Re: RE: deploying honeypots... cyb3rh3b (Aug 26)