Issue No. 04 - July-August (2004 vol. 2)
DOI Bookmark: http://doi.ieeecomputersociety.org/10.1109/MSP.2004.47
Frederic Raynal , MISC Magazine
Yann Berthier , Herv? Schauer Consultant
Philippe Biondi , Arche/Omnetica Group
Danielle Kaminsky , TEGAM International
A major goal of honeypot research is to improve our knowledge of blackhats from two perspectives: technical and ethnological. For the former, we want new ways to discover rootkits, trojans, and potential zero-day exploits (although capturing zero-day exploits in a honeypot is an unusual event). For the latter, we want a better understanding of the areas of interest and hidden links between blackhat teams. One way to achieve these goals is to increase the verbosity of our honeypot logs and traces; the most common tools for doing this are Sebek (http://project.honeynet.org/tools/sebek/) for system events and Snort (www.snort.org) for network activity. Unfortunately, there is no easy way to correlate information from these sources, which complicates honeypot forensics.
honeynets, honeypots, blackhat
P. Biondi, D. Kaminsky, F. Raynal and Y. Berthier, "Honeypot Forensics Part I: Analyzing the Network," in IEEE Security & Privacy, vol. 2, no. , pp. 72-78, 2004.