Integrating Google Hack and GenIII Honeypots
Thursday, January 19. 2006
Together with Ryan McGeehan from the Google Hack Honeypot (GHH) team I have written a short summary of how current Gen III honeynets and GHHs could be integrated. Essentially, we are adding advertisement to honeypot technology. That is all this really comes down to. The tricky part is how it is advertised to reduce false positives, which we will design after we know what resources we will be using. But due to this advertisement, we will be able to attract a new class of attackers and learn about new tools.
Furthermore, this is a way to learn more about targeted attacks. So instead of blind scanning, this is more like a hitlist that is generated with the help of different search engines. This is a new aspect in the area of "classical" GenIII honeypots since they have no real way to attract attackers and to learn more about targeted attacks.
The basic ideas are
There is also an elaborated version available.
Furthermore, this is a way to learn more about targeted attacks. So instead of blind scanning, this is more like a hitlist that is generated with the help of different search engines. This is a new aspect in the area of "classical" GenIII honeypots since they have no real way to attract attackers and to learn more about targeted attacks.
The basic ideas are
- Redirecting traffic from GHHs to GenIII honeypots
- Analyzing GHH logfiles with the help of GenIII honeypots
- Generating GHHs with the help of information collected with GenIII honeypots
- Cooperation with Google or other search engines to improve data capture capabilities
There is also an elaborated version available.
Continue reading "Integrating Google Hack and GenIII Honeypots"
".
