OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
IDS Archives: Re: IDS: Honey pots / decoy servers

Re: IDS: Honey pots / decoy servers

Lance Spitzner (lspitzstan.ksni.net)
Thu, 26 Aug 1999 13:48:47 -0500 (CDT)

FAQ: See http://www.ticm.com/kb/faq/idsfaq.html
IDS: See http://www-rnks.informatik.tu-cottbus.de/~sobirey/ids.html
HELP: Having problems... email questions to ids-owneruow.edu.au
NOTE: Remove this section from reply msgs otherwise the msg will bounce.
SPAM: DO NOT send unsolicted mail to this list.
USUBSCRIBE: email "unsubscribe ids" to majordomouow.edu.au
--------------------------------------------------------------------------- 

---
On Tue, 24 Aug 1999, Jon Speer wrote:

> Honeypots and decoy servers have been around for years, and at one time or
> another many of us have experimented with the Deception ToolKit or similar
> technologies.  I am now seeing plenty of press coverage for products like
> Recourse ManHunt and Network Associates Cybercop Sting, generally associated
> with collecting forensics evidence.

I've never used one of the commercial products, like CyberPsychotic I like 
to build my own.  I find honeypots extremely useful in that teach me the
tools and tactics of the bad guys.  However, I build my honeypots with a 
unique twist.  My honeypots do not have pre-designed vulnerabilities, my
honeypots are exact mirrors of my production servers.  This way I learn what
vulnerabilities my systems have and can be exploited.  Like Marty mentioned,
I also believe a honeypot shold never give itself away.  The bad guys should never 
catch on to you.

If you are interested,  I detailed in a whitepaper how I did this.  You
can find my paper at:
http://www.enteract.com/~lspitz/honeypot.html

Hope that helps!

Lance Spitzner
http://www.enteract.com/~lspitz/papers.html

This archive was generated by hypermail 2.0b3 on Fri Aug 27 1999 - 00:45:07 CDT