"This is useful because you can use fingerprints to set
up alerting or protective mechanisms that can detect compromise
quickly and aid in response. For instance, running a honeypot you
might discover that most attackers, after compromising an apache
web server, attempt to write a file into the /tmp directory. You
can use this information to set up monitoring of the /tmp
directory, and alert administrators whenever apache writes new
files into /tmp. This can tip off systems administrators to a
possible compromise, by alerting them that there is behavior
occurring on their system that typically corresponds to post
compromise attacker behavior.
"Honeypots can be generally divided into two categories: low
interaction and high interaction. A high interaction honeypot is a
complete system stack, set up on either a real or virtual
appliance. The high interaction honeypot is a real system for all
intensive purposes and provides intruders with all the capabilities
and tools that a real system would have. High interaction honeypots
can be a wonderful source of information about attackers, but they
carry a high risk as well. There are significant legal
ramifications to running a high interaction honeypot that should be
carefully considered before installing or running one. You need to
think very carefully about your deployment so you don't end up
providing a platform from which an attacker could compromise other
systems."
