Honeypots mailing list archives
Re: deploying honeypots...
From: Valdis.Kletnieks () vt edu
Date: Sun, 21 Aug 2005 19:24:13 -0400
On Sat, 20 Aug 2005 12:41:20 +0300, Ahmed Ameen said:
For you first question I would say leave them with no patches, the opjective is to attract the black-hat community.
This is so counter-productive as to be totally nuts. Last I checked, the DSHield survival-time estimate was sitting around 20-25 minutes. Do you *really* want a honeypot that will get whacked twice an hour by the worm du jour? If you want to use an unpatched system so you can catch new exploits, the only sane thing to do is to park it behind a good filtering IPS of some sort that munches the packets for all the exploits you already know about - if it's something that already has a Snort signature, you're probably disinterested in it. Anything useful (such as the rate you see any given exploit or what known exploits a blackhat throws before popping off a 0-day) can be extracted from your IPS logs, which is a lot easier than having to re-image 50 times a day....
Attachment:
_bin
Description:
Current thread:
- deploying honeypots... cyb3rh3b (Aug 19)
- Re: deploying honeypots... Ahmed Ameen (Aug 20)
- Re: deploying honeypots... cyb3rh3b (Aug 20)
- Re: deploying honeypots... Ahmed Ameen (Aug 20)
- Re: deploying honeypots... Valdis . Kletnieks (Aug 21)
- Re: deploying honeypots... Barrie Dempster (Aug 24)
- Re: deploying honeypots... cyb3rh3b (Aug 20)
- <Possible follow-ups>
- RE: deploying honeypots... Connell, Graeme S (Aug 20)
- RE: deploying honeypots... cyb3rh3b (Aug 20)
- Re: deploying honeypots... Damiano Bolzoni (Aug 22)
- Re: deploying honeypots... Valdis . Kletnieks (Aug 22)
- Re: deploying honeypots... Damiano Bolzoni (Aug 23)
- Re: deploying honeypots... Valdis . Kletnieks (Aug 24)
- RE: deploying honeypots... cyb3rh3b (Aug 20)
- Re: deploying honeypots... Ahmed Ameen (Aug 20)
- RE: RE: deploying honeypots... Chen Zhang (Aug 21)
- Re: RE: deploying honeypots... Barrie Dempster (Aug 24)