 |
|
|
 Welcome to the Virus.Org Mailing List Archive |
||
 |
||
|
||
|
Can we possibly abstract for a moment? These arguments seem very similar to those presented by Fred Cohen when he was working on DTK (http://www.all.net/dtk/dtk.html). Fred's and other projects actually laid a lot of the deception ground work before honey* were reinvented. They were also realistic about the uses of deception. When Drew and I were playing around with this stuff in 2002(http://seclists.org/lists/honeypots/2002/Oct-Dec/0029.html), vmchk (based off of http://chitchat.tripod.co.jp/vmware/) was simply one part of a larger framework we referred to as the Funnynet ToolKit (FTK) "Tracking Honeynets". FTK, in fact, grew out of discussions in Lance's basement during the Honeynet meeting that fall. The Honeynet project seemed directed towards virtualization and useability but no one seemed interested in the consequences. So we decided to build a framework of tools that would allow us to detect the "tools and configuration of tools" being used by the honeynet project. For example, there where other tools in FTK used to fingerprint rate limiting or the rules being used by snort-inline, etc. Others had similar ideas and took it further (ie Phake Phrack http://www.phrack.org/fakes/p62/p62-0x07.txt). Yes, the virtualization and homogenous packaging make honey* easier to use but what are the implications. I know it makes the "research" easier to "sell to the customer". To us it wasn't simply a matter of detecting VMware, one piece of evidence, but it seemed like a much bigger issue. I'm still waiting for the answer to the question posed at cansec "Why Honeypots Suck?" AW
|
All Trademarks Acknowledged.
Please view our Terms and Conditions and our Privacy Policy.