HoneyPots

[Kim Hawtin]

Haarsma, Michael (SAPOL) wrote:
> Hi John,
> 
> Thanks for your reply.
> They are internal addresses spanning VRF's and VLAN's. arpd with some
> switch configuration will allow me to occupy additional addresses so no
> need to worry about ISP's :)
> 
> Pretty much everything I want is available in _most_ honeypot software.
> Just curious about peoples experiances/recommendations... Web sites
> don't really supply this sort of knowledge and I don't have time to test
> all of the main packages myself.

have a google for 'darknets'

there has been a lot of research over the last five years into
how intrusion attempts work.

basically you set aside a small part of you network space,
leave it empty and then analyse all the traffic going in to
that space. as anything going there is dodgy by definition.

there is a classic paper written in the early 90's over at;
 http://www.deter.com/unix/
 There Be Dragons, Bellovin, Steven M.; 1992

its still a good read, and is still relavent.

cheers,

kim
-- 
Operating Systems, Services and Operations
Information Technology Services, The University of Adelaide
kim.hawtin at adelaide.edu.au