Honeypots mailing list archives
Re: RE: deploying honeypots...
From: "gangadhar npk" <phani () myrealbox com>
Date: Sun, 21 Aug 2005 19:42:56 +0530
Hi, But as Graeme already pointed out, since all the traffic that is going to hit your honeypot is going to malicious, how can you effectively sift the bad from the good. Logically, there can't be any good traffic heading your way. What you can try though is to sift the bad from the very bad traffic and see if a pattern does emerge. Interestng project, good luck ! my 2 cents worth gangadhar -----Original Message----- From: cyb3rh3b () kecoak or id To: "Connell, Graeme S" <gconnell () middlebury edu> Date: Sat, 20 Aug 2005 20:08:08 +0700 Subject: RE: deploying honeypots... Quoting "Connell, Graeme S" <gconnell () middlebury edu>:
Rasyid, The first question is a very good one, and, as with most good questions, there really isn't a good answer. If you're looking at how old exploits are used against unpatched systems, then by all means use older versions of operating systems and hardware. However, if you're looking at what attacks are used against fully-hardened systems, update all your patches and programs before deploying the honeynet. Generally, I like to use stuff that's a few months to a year old, with a few known exploits.
Hm...ok, i decide to use default OS with no patch then :). Thanx...
Regarding your second question, I'm not entirely sure how you're planning on using neural networks within your honeynet. Are you examining traffic and attempting to determine when an attack occurs? If so, a honeynet may not be the best place to train the network, since ALL traffic within a honeynet is attack traffic (no baseline). Could you be more specific as to exactly what part your neural network will play in the honeynet? --Graeme Connell
neural network will take an action needed from traffic it read and decide if those new traffic is dangerous to system, if so then it will disconnect the connection (well...it's one of the action will be taken). Rasyid ---------------------------------------------------------------- This message was sent using IMP, the Internet Messaging Program.
Current thread:
- Re: deploying honeypots..., (continued)
- Re: deploying honeypots... cyb3rh3b (Aug 20)
- Re: deploying honeypots... Ahmed Ameen (Aug 20)
- Re: deploying honeypots... Valdis . Kletnieks (Aug 21)
- Re: deploying honeypots... Barrie Dempster (Aug 24)
- Re: deploying honeypots... cyb3rh3b (Aug 20)
- RE: deploying honeypots... Connell, Graeme S (Aug 20)
- RE: deploying honeypots... cyb3rh3b (Aug 20)
- Re: deploying honeypots... Damiano Bolzoni (Aug 22)
- Re: deploying honeypots... Valdis . Kletnieks (Aug 22)
- Re: deploying honeypots... Damiano Bolzoni (Aug 23)
- Re: deploying honeypots... Valdis . Kletnieks (Aug 24)
- RE: deploying honeypots... cyb3rh3b (Aug 20)
- RE: RE: deploying honeypots... Chen Zhang (Aug 21)
- Re: RE: deploying honeypots... Barrie Dempster (Aug 24)
- Re: RE: deploying honeypots... cyb3rh3b (Aug 26)