Specter: a Commercial Honeypot Solution for Windows

    Date09 Apr 2003
    3883
    Posted ByAnthony Pell
    This is the third installment in an ongoing series of articles looking at honeypots. In the first two papers, we discussed the OpenSource honeypot Honeyd, how it works, and a deployment in the wild. In this paper we will look . . . This is the third installment in an ongoing series of articles looking at honeypots. In the first two papers, we discussed the OpenSource honeypot Honeyd, how it works, and a deployment in the wild. In this paper we will look at a different honeypot, the commercially supported solution Specter.

    Similar to Honeyd, Specter's primary value is detection. However, that is where the similarities end, these two honeypots are different as night and day. Many of Honeyd's strength's are Specter's weaknesses, just as many of Honeyd's weaknesses are Specter's strengths. This is why these two honeypots make for such an excellent comparison. Keep in mind that, as true with most honeypots, neither is better then the other, it all depends on what you are looking for.

    Like all honeypots, Specter operates on the principle that it serves no practical applications; therefore any Internet-based activity taking place on it is unauthorized. Anytime there is any interaction with the honeypot, this is by definition most likely malicious activity. This makes it extremely effective for detection, especially on internal networks. It will quickly tell if you a bad guy has penetrated your perimeter defenses, or if you have an employee or vendor looking where they shouldn't. Specter works by listening on specific TCP services. When an attacker interacts with one of these services, Specter captures all of their activity, logs the behavior, and generates an alert. Specter currently does not have the capability to detect ICMP, UDP, or any non-standard IP traffic. Specter is not an appliance. Instead, it is simply a piece of software you install on a computer, similar to any other application, such as Microsoft Office or Winamp. Specter monitors the IP assigned to the computer. Unlike some other honeypots, Specter cannot monitor unused IP space. This limits the number of IPs you can monitor with it.

    You are not authorised to post comments.

    Comments powered by CComment

    LinuxSecurity Poll

    Do you read our distribution advisories on a regular basis?

    No answer selected. Please try again.
    Please select either existing option or enter your own, however not both.
    Please select minimum 0 answer(s) and maximum 3 answer(s).
    /component/communitypolls/?task=poll.vote&format=json
    23
    radio
    [{"id":"84","title":"Yes, for a single distribution","votes":"0","type":"x","order":"1","pct":0,"resources":[]},{"id":"85","title":"Yes, for multiple distributions","votes":"5","type":"x","order":"2","pct":71.43,"resources":[]},{"id":"86","title":"No","votes":"2","type":"x","order":"3","pct":28.57,"resources":[]}]["#ff5b00","#4ac0f2","#b80028","#eef66c","#60bb22","#b96a9a","#62c2cc"]["rgba(255,91,0,0.7)","rgba(74,192,242,0.7)","rgba(184,0,40,0.7)","rgba(238,246,108,0.7)","rgba(96,187,34,0.7)","rgba(185,106,154,0.7)","rgba(98,194,204,0.7)"]350
    bottom200

    We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.