[Snort-users] VERY simple 'virtual' honeypot
ofir at ...949...
Sat Mar 9 11:31:02 EST 2002
You get to pull the attack of the wire only if they complete it...
If they will not get the right response no attack will be performed.
If the aim is to generate responses than you need to have a real
intelligence engine to produce them in a way the engine itself will not
Also, it is more interesting, in my opinion, to simulate real world
production environment style to Honeynets rather than a virtual one with
Ofir Arkin [ofir at ...949...]
The Sys-Security Group
PGP CC2C BE53 12C6 C9F2 87B1 B8C6 0DFA CF2D D360 43FA
From: Ryan Russell [mailto:ryan at ...35...]
Sent: 09 March 2002 18:48
To: Ofir Arkin
Cc: 'Snort-Users (E-mail)'; honeypots at ...35...
Subject: RE: [Snort-users] VERY simple 'virtual' honeypot
On Sat, 9 Mar 2002, Ofir Arkin wrote:
> In my opinion it will be missing the main point of a Honeynet.
One that that has been gleaned from the honeypots lists is that there
many possible reasons for running a honeypot.
> We all know that we can cut the foreplay pretty fast (scanning,
> and hit the site with an exploit even without the scanning attempt
> this in the context :P). But than what? Exploit fails, not much
> information gained, and we miss the funny part.
One of which is to collect new exploits. As you state, you don't get to
watch the attacker operate once they get a shell, but you do get to pull
the exploit off the wire.
More information about the Snort-users