Chapter 9. Detecting Honeypots

9.1 Detecting Low-Interaction Honeypots

9.2 Detecting High-Interaction Honeypots

9.3 Detecting Rootkits

9.4 Summary

Although honeypots are a great resource for investigating adversaries or automatic exploitation via worms, the amount of information we can learn depends on how realistic the honeypots are. If an adversary breaks into a machine and immediately notices that she broke into a honeypot, her reaction might be to remove all evidence and leave the machine alone. On the other hand, if the fact that she broke into a honeypot remains undetected, she could use it to store attack tools and launch further attacks on other systems. This makes it very important to provide realistic-looking honeypots. For low-interaction ...

Get Virtual Honeypots: From Botnet Tracking to Intrusion Detection now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.