From: Dragos Ruiu (dr@kyx.net)
Date: Mon Jun 23 2003 - 22:48:14 EDT
On June 23, 2003 06:58 am, Rob Shein wrote:
> This wouldn't work. Seeing the packets/traffic on the wire doesn't tell
> you the tools that are used, and it also doesn't really give you much else.
> Considering that a honeypot is either not really rootable (DTK) or is very
> low hanging fruit (and very rootable, like a honeynet.org system), they
> either won't see tools downloaded to the system or won't see anything more
> than the bare minimum needed to exploit a system that is too vulnerable to
> begin with.
Putting on my Honeynet Project hat...
I think you presume too much about honeypots.
There are _many_ varieties of honeypots.
Some more rootable than others, some more detectable than others.
And it's also possible to instrument them with many other monitoring
systems besides just sniffing traffic in and out. I'll leave the specifics
as an excercise for the reader.... :-) but they range from running inside
vmware to instrumented os loads and even special hardware in some
cases.
Lately the Honeynet Alliance folks have been deploying
other systems besides your typical low hanging fruit. Different
honeypots gather different data. It all depends on what you
are trying to catch.
Beware the Jabberwock...
cheers,
--dr
-- pgpkey http://dragos.com/ kyxpgp --------------------------------------------------------------------------- Latest attack techniques. You're a pen tester, but is google.com still your R&D team? Now you can get trustworthy commercial-grade exploits and the latest techniques from a world-class research group. Visit us at: www.coresecurity.com/promos/sf_ept1 or call 617-399-6980 ----------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:35 EDT