Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Recipe For Building a Cheap Raspberry Pi Honeypot Network

timothy posted about a month and a half ago | from the you-forgot-the-sledgehammer dept.

Security 68

mask.of.sanity (1228908) writes "Honeypots are the perfect bait for corporate IT shops to detect hackers targeting and already within their networks and now a guide has been published to build a dirt cheap battalion of the devices from Raspberry Pis. "By running honeypots on our internal network, we are able to detect anomalous events. We gain awareness and insight into our network when network hosts interact with a Raspberry Pi honeypot sensor," the author explained."

cancel ×

68 comments

Sorry! There are no comments related to the filter you selected.

What a great amount of things you can use a rPi to (0)

Anonymous Coward | about a month and a half ago | (#47587669)

and a TiVo? For watching TV. beh, so which should you buy?

I don't get the hype (4, Insightful)

rebelwarlock (1319465) | about a month and a half ago | (#47587733)

It's a computer. You can do a lot of things with a computer. Why do we need an article every time anyone uses it for anything?

Re:I don't get the hype (0)

Anonymous Coward | about a month and a half ago | (#47587763)

Build a honeypot network: Nobody cares. Build a honeypot network with a Raspberry Pi: Read about it everywhere.

This comment posted from my Raspberry Pi (actually not, but I want this modded up).

Re:I don't get the hype (1)

Anonymous Coward | about a month and a half ago | (#47587779)

Pretty much, you can achieve the same effect by running one or more VMs on some spare piece of metal. This has added benefit that you can pick a guest OS matching the target profile for viral infection yet still retain full monitoring ability of everything going in and out through the host OS's NIC. But that would not newsworthy as it does not involve the Raspberry Pi. In the end this is probably just another slashvertisement.

Re: I don't get the hype (2, Insightful)

Anonymous Coward | about a month and a half ago | (#47588703)

That may be true if everything is on a small number of networks but the raspberry pi is nice as I could but them in wiring closets all over. Right now we have net flow data for any traffic between buildings but we don't see all traffic within a building. This could let us have a honeypot in each building to get a heads up about issues.

Right now bringing each network into our data center is impractical. As it is our virtual environment is at the maximum number of vlans it can handle so the best use of resources is to upgrade it. While we are doing that security could use these as sensors on some of the more sensitive networks or where we suspect there are issues from other (possibly nonactionable) data.

Re:I don't get the hype (0)

Anonymous Coward | about a month and a half ago | (#47587769)

Lets hope it stays that way: here [singularityweblog.com]

Re:I don't get the hype (0)

Anonymous Coward | about a month and a half ago | (#47587787)

I'd be more impressed if it was an Arduino.

Re:I don't get the hype (0)

Anonymous Coward | about a month and a half ago | (#47587797)

Because some people have a very blinkered approach. Yes, the Pi is a general purpose computing device, but the TCO is low compared to repurposing and supporting older big box computers in the Honeypot role and if the file system is compromised, its easy to power it down and stick in a fresh SD card. Up and running again in seconds leaving the old SD card to be examined at leisure.

The funny thing is that this got posted, when a newly announced hardware interface for the Pi B+ looks rather more interesting....

Re: I don't get the hype (0, Troll)

Anonymous Coward | about a month and a half ago | (#47587841)

to keep grumpy cunts like you grumpy. Try to be less grumpy about shit, man!

Re:I don't get the hype (0)

Anonymous Coward | about a month and a half ago | (#47587921)

Because it is another use for a small computer that still has a lot of hype for it, your regular dose of raspberry pi, and it is also about making a honeypot to trap attackers IN a network.

All 3 are required reading! OBEY!

Re: I don't get the hype (0)

Anonymous Coward | about a month and a half ago | (#47588107)

Because puns! Can't you imagine being a bored old fruit at slashdot, just hungering for chances to serve up delicious headlines to show the diners that your English degree was dough well spent?

Re:I don't get the hype (1)

owlstead (636356) | about a month and a half ago | (#47588145)

In this case I agree. It's: 1) install raspbian 2) install [dionaea](http://dionaea.carnivore.it/), the honeypot software. And...that's about it. Some general download and configuration options are present. It's easy to follow and read and therefore probably a good blog entry, but not exactly news.

Re:I don't get the hype (1)

BitZtream (692029) | about a month and a half ago | (#47588223)

Its worse than that. The raspberry pi has bad ethernet and is woefully underpowered.

Sure you can make it a honey pot, but it'll drop half the packets heading for it and even a slight flood its going to be overloaded.

Re:I don't get the hype (2)

postbigbang (761081) | about a month and a half ago | (#47591723)

Honeypot. Flood.

You don't get it.

You can put these on isolated segments, VLANs, whatever but importantly: wherever in the system you want to attract the bees.

So long as it can send even one "ouch" packet, it's done its job, saved your ass, and saved you hours looking through even great syslog managers to find symptoms of internal infections.

Do they cost? Not much. Aren't VMs cooler to use? No, because you want them randomly everywhere, not just in your VM farms. Yes, VM honeypots are a great idea. No, you can't simply put them in a dev pool or out in the cubes. But you *can* put a pie anywhere your network has a connection, and your switch ports allow admittance. Hint.

Re:I don't get the hype (1)

msauve (701917) | about a month and a half ago | (#47588219)

It's timothy. He needs all the help he can get, and obviously found it useful.

VMs are the way here (4, Insightful)

Anonymous Coward | about a month and a half ago | (#47587749)

Why not buy a cheap couple of hundred dollar PC and run as many VMs as could possibly fit. Install a really old Linux distribution (or early Windows) and the resource use is small. Many honey pots with less maintenance....

Re:VMs are the way here (0)

Anonymous Coward | about a month and a half ago | (#47587833)

Why not buy a cheap couple of hundred dollar PC and run as many VMs as could possibly fit. Install a really old Linux distribution (or early Windows) and the resource use is small. Many honey pots with less maintenance....

Because, Pi!

VMs are the way here (0)

Anonymous Coward | about a month and a half ago | (#47587905)

These articles generally increase interest because a lot of people buy the latest tech based on curiosity and skill improvement rather than need. As such, they have a collection of items that have outlived their usefullness to some degree (because they are potentially useful, but not bought with a purpose), so providing a purpose can reignite interest in an item.

The downside is that now we will have lots of PI powered honeypots which aren't going to be useful (except in creating more electricity usage), because if you needed a honeypot, you wouldn't have waited to build one on some sort of exotic platform, and monitoring a honeypot is a very expensive (in time) operation.

I (sarcasm) can't wait to see how security improves with tons of purposefully exploitable computers out there which aren't being monitored.

Hypervisor defect (1)

phorm (591458) | about a month and a half ago | (#47607963)

If there's a defect in the VM software or hypervisor, it might be exploitable to break out of the VM and attack the root OS.

Raspberry Pi, Raspberry (0)

Anonymous Coward | about a month and a half ago | (#47587771)

Pi! Raspberry raspberry rasp-berry. Pi raspberry, Raspberry Pi. Rasberry Pi raspberry pi [1].

[1] Raspberry

Re:Raspberry Pi, Raspberry (1)

flyingfsck (986395) | about a month and a half ago | (#47589455)

You got to eat it with gloves, or your hands will turn green.

Recipe for cluster of RaspberryPi vibrators (0)

Anonymous Coward | about a month and a half ago | (#47587777)

Imagine hundreds of those and satisfying all the users at the same time.

Entrapment is so much fun is it? (1)

dbIII (701233) | about a month and a half ago | (#47587829)

Instead of putting out bait to encourage people to have a go at fragile systems what about hardening the stuff you've got or put it in segments behind stuff you can harden? Putting out fragile honeypots can lead to wasting time on the merely curious who are no real threat to systems that are not fragile.

Re:Entrapment is so much fun is it? (0)

Anonymous Coward | about a month and a half ago | (#47587871)

So if I enter your house uninvited through an unlocked door and rifle through your stuff can I simply say that I'm "simply curious" and of no threat? You are just pissed because you are a script kiddie and honeypots could send you to pound me in the ass federal prison.

Re:Entrapment is so much fun is it? (1)

dbIII (701233) | about a month and a half ago | (#47587881)

Very bad analogy. Putting money on the ground in an area with a lot of people and punching anyone that tries to pick it up is a better one.

just pissed because you are a script kiddie

Oh do at least try to grow up.

Re:Entrapment is so much fun is it? (1)

tomhath (637240) | about a month and a half ago | (#47588443)

GP gave a very good analogy. They're not leaving something valuable out in public where an honest person might happen by and pick it up. It takes a deliberate intrusion to get on a network and copy files or install malware. It's no different from entering a house through an unlocked window or noticing a car door is unlocked and helping yourself to a few DVDs.

Rubbish analogy that deserved to be mocked (1)

dbIII (701233) | about a month and a half ago | (#47588537)

It was a rubbish analogy that deserved to be mocked with an added insulting accusation of being a criminal.
They ARE leaving something out in "public" when the public are the employees of the company - leaving the money out in the hallway and punching whoever picks it up.

It's no different from entering a house through an unlocked window

Clearly not because the people you are trying to catch are already "in the house" but you just happen to have put something shiny in their sight in the house with a sign "don't touch" on it. Ready made crime. Just add criminal. Whether the potential criminal would exploit other, more difficult, opportunities and become an actual criminal is unknown, so it's largely pointless and better to go after something real instead of wasting time unless your goal is to impress others by setting people up for crimes and getting an impressive "arrest record".

Re-dick-you-lous (1)

Anonymous Coward | about a month and a half ago | (#47589247)

That's an awful lack of reason friend. It is well known and established security fact that the vast majority of threats to a network come from within - as in NOT external. As such, and coming from a business owner myself, your assertion that an employee is or should somehow be exempt from not only suspicion, but shouldn't know better than to be intruding where they don't belong - say, an investment, payroll or other sensitive out-of-bounds area is just flat ignorant. I want to know if an employee is going where they don't belong & am well within ethical bounds to protect my assets from nefarious persons - employed or not.

In other words: you are grotesquely wrong in your perspective of right & wrong & employee rights. Additionally, your necessity to defend with such vigor, such a blatantly ignorant argument just kills any concept of consideration of logic coming from your corner. Time to take a critical-thinking (& possibly ethics) course(s) - for the laymen: you need more school.

Re:Re-dick-you-lous (1)

dbIII (701233) | about a month and a half ago | (#47591481)

It is well known and established security fact that the vast majority of threats to a network come from within

And this is a very stupid way to attempt to deal with the situation. Fabricating ready made crimes to catch the weak willed, deals with low hanging fruit, gives you a false sense of security and can lead to punishment of people who you normally wouldn't have to worry about.

Re: Entrapment is so much fun is it? (0)

Anonymous Coward | about a month and a half ago | (#47593345)

You're wrong.

The analogy was perfect.

Re:Entrapment is so much fun is it? (2)

Razed By TV (730353) | about a month and a half ago | (#47588001)

Who said anything about putting it out as bait?
The article specifically talks about using it on an internal network.

Need to think about why it is being done (1)

dbIII (701233) | about a month and a half ago | (#47588077)

Yes - bait on an internal network to catch people who see the "shiny" and act.
The question to ask before deploying such things is to ask yourself (or you boss) what your job actually is. Is it to catch a number of people and meet some sort of "arrest quota" or is it to actually protect things? If it's the former then putting up fragile things to attract the attention of the weak willed may be a go, but if it's the latter you may well just be wasting time while the serious threats are getting into your serious systems. They could be getting in while you are distracted playing this game.

IMHO you are better off having better monitoring on the serious systems on a properly segmented network and watching that instead of scattering toys about and looking to see who they distract.

Honeypots are a cool research tool for seeing what people out on the net are trying to do, but as a security measure on internal networks? Sounds more like buzzword overload than anything useful in that situation unless you want some heads on pikes of the entrapped to scare people.

If I'd pulled this shit and enforced some sort of penalty I'd probably be down three or four decent developers because they decided to take a bit of a look around the local network when they first started. Those are just the ones that did really obvious portscans from their own desktop computers so there may have been more.

Re:Need to think about why it is being done (4, Interesting)

oggiejnr (999258) | about a month and a half ago | (#47588161)

The aim of honeypots in this scenario isn't to bait out people but software. The first thing that a targeted piece of malware is likely to do is find other systems to infect and map out the internal network. If a computer in the accounts department is suddenly firing off CIFS requests at your honeypot it is an anomaly that should be investigated. It's much easier to find dodgy traffic if there isn't supposed to be any rather than looking for it in the corporate network as a whole.

If it turns out it was a bored intern browsing the local network then the situation can be explained. If it was an opened dodgy e-mail or other attack vector then the machine can be wiped and connection logs gathered so that a clean-up operation can be attempted.

Re:Need to think about why it is being done (1)

dbIII (701233) | about a month and a half ago | (#47588507)

So why a honeypot and not traffic monitoring?

real storage, active directory servers get legit t (2)

raymorris (2726007) | about a month and a half ago | (#47588763)

Let's consider the last piece of malware I dealt with. It searched the network for shared storage and did nasty things on the storage. The REAL storage server is used by thousands of people, so it gets many, many requests per minute. Sorting out legitimate use of the storage vs something suspicious would be nearly impossible. The honeypot storage, on the other hand, gets NO legitimate traffic. Any traffic to the honeypot is worth investigation. That makes it a much more reliable way to find malware or other traffic sources that merit investigation.

Same with the active directory, the mail server, the database ...
Do you have any idea how much traffic a corporate mail server can get? Looking for suspicious connections is worse than a needle in a haystack. An otherwise unused machine with the mail ports open quickly flags strange behaviour for investigation.

ps My office has been investigated != fired (1)

raymorris (2726007) | about a month and a half ago | (#47588801)

I should emphasize strange traffic being investigated doesn't mean anyone gets in trouble. The head of security cut off my network port once when he detected something weird. I explained what I was doing. He pointed out a security concern, and we agreed to a compromise configuration we could both live with.

Re:real storage, active directory servers get legi (2)

dbIII (701233) | about a month and a half ago | (#47588865)

Do you have any idea how much traffic a corporate mail server can get?

If your network is too large to comprehend then apply an engineering solution instead of a basket weaving solution and handle things in managable chunks. Since IT folk like to pretend they are engineers (which was to my benefit when I changed careers from engineering a couple of decades back) why not act like them? Suspicious stuff coming in or out of segments is one way of tracking, does that really compare with hoping something randomly hits your honeypot? Oh that's right - if you are not tracking what is coming in and out of managable segments then hope is all you've got. Carry on then. Let's hope they don't use your fragile honeypot as a springboard to something else before you find out they are there.

The REAL storage server is used by thousands of people, so it gets many, many requests per minute. Sorting out legitimate use of the storage vs something suspicious would be nearly impossible.

Take a look at how people handle security on very large compute clusters. It is not "nearly impossible". If you are not on the list you don't get in. If you try to get in you get logged. If it's too large to monitor you cut it into chunks that are not too large to monitor.

Oh yes, Windows Malware swamp - I get it now (1)

dbIII (701233) | about a month and a half ago | (#47588953)

active directory

I see now - fully trusted hosts, potential malware ridden with no way to keep it off other than hoping the antivirus updates arrive before the malware, and a closed system where you have to guess at the legitimate traffic to boot. I can see now why you grasp at straws such as honeypots and hope the malware is so badly written that they randomly get attacked before your real systems instead of the malware taking a look at what the machine it is on has connected to in the past.
After they do get attacked what do you do to stop an attacker using the honeypot as a potential vector to do other stuff? Even if they can't get out they can work out you are watching them and feed you disinformation.

Any traffic to the honeypot is worth investigation.

True but decent monitoring should turn up attempted traffic to addresses that do not exist in the same situation. Decent monitoring is hard to bolt on after the fact but a rock solid playpen for crackers, with decent monitoring of that, is probably not going to be easy to do either. It's one thing having a research honeypot outside of your external firewall, but with one inside your LAN with the welcome mat out what do you do when a cracker gets more control than you expect?

yep, welcome $large_organization networking (1)

raymorris (2726007) | about a month and a half ago | (#47589483)

> > active directory

> I see now - fully trusted hosts, potential malware ridden with no way to keep it off other than hoping the antivirus
> updates arrive before the malware, and a closed system where you have to guess at the legitimate traffic to boot.

Yep, welcome to office networking. In a government office, throw in a few DOS terminals and other systems that haven't seen a security update since 1982.

Re:yep, welcome $large_organization networking (1)

dbIII (701233) | about a month and a half ago | (#47591495)

You've got me. While a honeypot doesn't seem that useful versus an active cracker my arguments fall down against dumb malware and script kiddies.

Re: Need to think about why it is being done (0)

Anonymous Coward | about a month and a half ago | (#47588227)

You're looking at it wrong. This isn't a bait and trap. Essentially your setting up a trip wire. If something gets past your defenses, you want a place to monitor the activity away from all the noise. Things shouldn't hit your honeypot, and when something does you now can examine that activity. If a piece of Malware gets into your network and starts mapping everything, it's hard to tell because of all the regular usage.

Re: Need to think about why it is being done (1)

dbIII (701233) | about a month and a half ago | (#47588551)

Once again - network monitoring. If something starts sniffing around your machines that only get specific traffic from specific hosts on specific ports that rings alarm bells better than letting some fragile thing get owned and be used for who knows what before you can respond.

Re: Need to think about why it is being done (0)

Anonymous Coward | about a month and a half ago | (#47593373)

You have no right to probe my network to see if you can get in. None. So save your bs justifications.

Re: Need to think about why it is being done (0)

Anonymous Coward | about a month and a half ago | (#47589273)

Lol - Dbill.

Re: Entrapment is so much fun is it? (0)

Anonymous Coward | about a month and a half ago | (#47588771)

Think of a mall: if you are the owner you can't make each store increase their security. You are probably working on convincing them to and potentially making progress but in the, mean time having a honeypot gives you a heads up about who to watch more closely or what types of attacks people are attempting. It's all about gathering intelligence and honeypot on your network can give you a local perspective.

Also some things we can't harden. They are million dollar instruments not designed to be hardoned. We can't tell the business to go out of business as its too risky. We have to present the risk and potential plans of reducing that risk and let the business decide. If they want to continue an option could be setting up a local perimeter and having honey pots that report to security to reduce the chances of compromise and to better detect compromise.

Re: Entrapment is so much fun is it? (1)

sexconker (1179573) | about a month and a half ago | (#47589443)

Think of a mall: if you are the owner you can't make each store increase their security. You are probably working on convincing them to and potentially making progress but in the, mean time having a honeypot gives you a heads up about who to watch more closely or what types of attacks people are attempting. It's all about gathering intelligence and honeypot on your network can give you a local perspective.

Also some things we can't harden. They are million dollar instruments not designed to be hardoned. We can't tell the business to go out of business as its too risky. We have to present the risk and potential plans of reducing that risk and let the business decide. If they want to continue an option could be setting up a local perimeter and having honey pots that report to security to reduce the chances of compromise and to better detect compromise.

No.
It's like running a lumber yard and instead of putting fire alarms, smoke detectors, etc. in all of your buildings and monitoring them, you have a big unprotected building full of sawdust and small bits of wood next to your other buildings. Then you put a fire alarm on it so you know when there's a fire. It's fucking retarded.

Nailed it (1)

dbIII (701233) | about a month and a half ago | (#47591527)

That's an analogy that works far better.

In other News (news that counts) (1)

Dan Askme (2895283) | about a month and a half ago | (#47587839)

Do the other "thing" Raspberry Pis are semi "good" for (minus a slow XBMC system).
Turn your raspberry Pi into a dedicated BitTorrent power house!

Premade optimized image here:
http://fuzon.co.uk/phpbb/viewt... [fuzon.co.uk]

Honeypots, what a waste or an ARM.... ;)

Re:In other News (news that counts) (0)

Anonymous Coward | about a month and a half ago | (#47588087)

I've always been somewhat wary about these one-man custom distros or images. Do they contain malware? Probably not. But do they contain schoolboy mistakes which cause breakage or security problems? I think it's possible.

Re:In other News (news that counts) (1)

Dan Askme (2895283) | about a month and a half ago | (#47590935)

I've always been somewhat wary about these one-man custom distros or images. Do they contain malware? Probably not. But do they contain schoolboy mistakes which cause breakage or security problems? I think it's possible.

Breakage:
No. Everything works.
I've been running this setup for over 2 years. I finally decided to share my installation with a guide. Not everyone is out to get you and your "security".

Schoolboy mistakes:
Everyone makes mistakes. Even you.
By all means, find a issue and i'll gladly fix it in my free time.

Security Problems:
If you have "security concerns", you shouldnt be using any distro, unless you make it to your own "security" requirements.
These debian images are aimed at home users, who just want a fast Pi doing their daily stuff.

Your welcome.

We need a Pi category so I can ignore it (0)

Gothmolly (148874) | about a month and a half ago | (#47588217)

That, and Elon Musk are the two most masturbatory topics on Slashdot these days.

Re:We need a Pi category so I can ignore it (2)

rebelwarlock (1319465) | about a month and a half ago | (#47588347)

Elon Musk is going to setup a 3d printed Raspberry Pi array to farm bitcoins, thus causing buzzwords to reach critical mass.

Re:We need a Pi category so I can ignore it (3, Funny)

tomhath (637240) | about a month and a half ago | (#47588453)

Wow. Imagine a Beowolf cluster of those.

Re:We need a Pi category so I can ignore it (1)

Kjella (173770) | about a month and a half ago | (#47588813)

What are you trying to do, create a buzzword black hole that'll consume civilization as we know it and leave nothing but a post-apocalyptic landscape of marketdroids and PHBs?

Re:We need a Pi category so I can ignore it (4, Insightful)

Ol Olsoc (1175323) | about a month and a half ago | (#47588401)

That, and Elon Musk are the two most masturbatory topics on Slashdot these days.

From what I've seen though, there are a lot of slashdotters who have a deep-seated need to bitch about something.

Must be 75 percent of the posts are crying about "'Nuthre rsby pie rtickle!"

There are options for us:

1. Don't read the article. This works surprisingly well for people not in the Fox news self-validation mode. The title usually let's us know what the subject is.

2. Submit your own stories. You people who know what people really want to read should be able to submit articles that people really want to read

Re:We need a Pi category so I can ignore it (1)

sexconker (1179573) | about a month and a half ago | (#47589633)

That, and Elon Musk are the two most masturbatory topics on Slashdot these days.

From what I've seen though, there are a lot of slashdotters who have a deep-seated need to bitch about something.

Must be 75 percent of the posts are crying about "'Nuthre rsby pie rtickle!"

There are options for us:

1. Don't read the article. This works surprisingly well for people not in the Fox news self-validation mode. The title usually let's us know what the subject is.

2. Submit your own stories. You people who know what people really want to read should be able to submit articles that people really want to read

The problem is that we do submit our own stories and they're ignored in favor of stupid shit like this.
Slashdot's firehose and comment moderation are placebos. Dice is in full control. It was their top priority.

Re: We need a Pi category so I can ignore it (0)

Anonymous Coward | about a month and a half ago | (#47593397)

It's so funny to see Fox News bothers people so much they bring it up in contexts like this. MSNBC is a far better example. Keep drinking your kool-aid. Lol.

Re: We need a Pi category so I can ignore it (1)

Ol Olsoc (1175323) | about a month and a half ago | (#47596171)

It's so funny to see Fox News bothers people so much they bring it up in contexts like this. MSNBC is a far better example. Keep drinking your kool-aid. Lol.

Otherwise how are we gonna know that Germany is sunnier than the US, and that Jesus was a white Anglo-Saxon male? The lamestream liberal media doesn't tell us about that stuff yaknow.

And the context is that some people become enraged when they see another RBP article. They don't want to see what they don't want to see. Maybe they need to start their own news for nerds site, one that is fair and balanced.

Re:We need a Pi category so I can ignore it (0)

Anonymous Coward | about a month and a half ago | (#47588593)

Ahh yes, we need wholesale changes to Slashdot, just to placate you.

Yes, you are quite simply so important, that time, money and resources must be spent to make your Slashdot life that much easier to bear. /s

Fucking retard.

Or (1)

Fnord666 (889225) | about a month and a half ago | (#47589161)

Or I could do the same thing with VMs and not tie up a bunch of physical resources in the process.

OpenWRT (0)

Anonymous Coward | about a month and a half ago | (#47590473)

The idea suggested in TFA is good, but why not do the same thing with the (SOHO) routers themselves? OpenWRT *is linux*, and flexible enough to be helpful for things like this.. hell, you could use both RPis and routers..

I don't understand all I know about this ... (1)

CaptainDork (3678879) | about a month and a half ago | (#47590731)

... which is great because I get to learn something with y'all helping.

This honeypot inside a network intrigues me. If I created a share on a server (or desktop) that was useless, would that serve as a honeypot looking to serve as a trip wire for malware that goes after shares?

In a Windows environment, all I know to do is look at Event logs. I don't know how to get Security events to bark.

I read the article(s) but it was a "whoosh," event.

Thanks.

Re:I don't understand all I know about this ... (1)

dbIII (701233) | about a month and a half ago | (#47592843)

No you understand fine - it is a "whoosh" event.
Sexconker above put it far better than I could:

It's like running a lumber yard and instead of putting fire alarms, smoke detectors, etc. in all of your buildings and monitoring them, you have a big unprotected building full of sawdust and small bits of wood next to your other buildings. Then you put a fire alarm on it so you know when there's a fire. It's fucking retarded.

Re: I don't understand all I know about this ... (0)

Anonymous Coward | about a month and a half ago | (#47593423)

That's a stupid example. Honeypots let you observe how to people are trying to break in so you can prevent attacks on your real network by putting new things into place when you see what they're trying. Things you haven't thought of yet. Staying one step ahead, instead of what we have now, which is the reverse.

Is that so hard to understand?

A honeypot will make an attacker waster their time. Lol.

Well, good. I'm glad it's a waste of an attackers time. They shouldn't be trying to break into my systems in the first place.

Re: I don't understand all I know about this ... (1)

dbIII (701233) | about a month and a half ago | (#47593569)

I understand all right. The analogy is to help others like yourself understand why decent monitoring is better than ad-hoc monitoring.

Re: I don't understand all I know about this ... (1)

DECula (6113) | about a month and a half ago | (#47594829)

Throw up new box on the internet. How long is it safe these days?
"They shouldn't try to break into" != (They won't || They can't)
Counter-intelligence deserves a place in a security kit these days.
Not only can it waste their time, you should get logging of who is
knocking on the door.

Of course, denial has always been a great security tool.

Free Games Full Version Download (0)

zain6970 (3774617) | about a month and a half ago | (#47598501)

Visit Here Now For Download New 2013 Games and important software and hollywood and bollywood new 2013 movies free games full version download [blogspot.com]
Check for New Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>