REVIEW: "Virtual Honeypots", Niels Provos/Thorsten Holz
- BKVRTHNP.RVW 20070930
"Virtual Honeypots", Niels Provos/Thorsten Holz, 2008, 0-321-33632-1,
%A Niels Provos
%A Thorsten Holz
%C P.O. Box 520, 26 Prince Andrew Place, Don Mills, Ontario M3C 2T8
%G 0-321-33632-1 978-0-321-33632-3
%I Addison-Wesley Publishing Co.
%O U$49.99/C$61.99 800-822-6339 617-944-3700 bkexpress@...
%O Audience i- Tech 2 Writing 1 (see revfaq.htm for explanation)
%P 440 p.
%T "Virtual Honeypots: From Botnet Tracking to Intrusion Detection"
Right off the top you have to question the reliability of research
that credits, in the preface, Robert Morris with "inventing" (in the
course of creating the Internet Worm of 1988) the buffer overflow.
Chapter one provides some background information for honeypot
operation, with a very terse review of some basic TCP/IP protocols,
descriptions of some common honeypot types, and a few tools that can
be used for data capture and analysis. High-interaction honeypots are
defined (by the authors in chapter two) as virtual machines that can
provide (to the attacker or intruder) as much, or as little,
functionality as you wish. A number of such machines are described,
mostly in terms of installation. Overviews (and installation
instructions) for a variety of specialized and limited emulators are
given in chapter three. Chapter four introduces the honeyd program
that is widely used for creating multiple virtual machines on a single
computer. Advanced functions of honeyd are discussed in chapter five.
Chapter six examines the possibilities for collecting malware with
honeypots, specifically the nepenthes and honeytrap programs. Some
systems for presenting apparently extensive functionality without
risking the danger of a compromise are explained in chapter seven.
Emulation of the activity of an active computer or Internet user
(rather than a passive server) is the idea behind client honeypots as
outlined in chapter eight.
Indications that betray the presence or operation of a honeypot are
discussed in chapter nine. Some experiences using honeypots are noted
in chapter ten. Chapter eleven specifically examines the use of
honeypots to discover the functions and activity of botnets.
CWSandbox, a tool for the analysis of malware, is explored in chapter
The classic text in the field of honeypots is, of course, "Know Your
Enemy" (cf. BKKNYREN.RVW). That volume does not go into specific
details of construction in the way that Spitzer's "Honeypots" (cf.
BKHNYPOT.RVW) or even Grimes' "Honeypots for Windows" (cf.
BKHNPTWN.RVW) does. However, between them the existing works provide
a solid background, and this tome adds little to the mix. The
addition of client honeypots is valuable, but the writing and
explanations provide little that will be of help to those trying to
use the technology.
copyright Robert M. Slade, 2007 BKVRTHNP.RVW 20070930
====================== (quote inserted randomly by Pegasus Mailer)
rslade@... slade@... rslade@...
DYNAMIC LINKING ERROR: Your mistake is now everywhere.