BKVRTHNP.RVW 20070930 "Virtual Honeypots", Niels Provos/Thorsten Holz, 2008, 0-321-33632-1, U$49.99/C$61.99 %A Niels Provos %A Thorsten Holz %C P.O. Box 520, 26 Prince Andrew Place, Don Mills, Ontario M3C 2T8 %D 2008 %G 0-321-33632-1 978-0-321-33632-3 %I Addison-Wesley Publishing Co. %O U$49.99/C$61.99 800-822-6339 617-944-3700 bkexpress@aw.com %O http://www.amazon.com/exec/obidos/ASIN/0321336321/robsladesinterne http://www.amazon.co.uk/exec/obidos/ASIN/0321336321/robsladesinte-21 %O http://www.amazon.ca/exec/obidos/ASIN/0321336321/robsladesin03-20 %O Audience i- Tech 2 Writing 1 (see revfaq.htm for explanation) %P 440 p. %T "Virtual Honeypots: From Botnet Tracking to Intrusion Detection" Right off the top you have to question the reliability of research that credits, in the preface, Robert Morris with "inventing" (in the course of creating the Internet Worm of 1988) the buffer overflow. Chapter one provides some background information for honeypot operation, with a very terse review of some basic TCP/IP protocols, descriptions of some common honeypot types, and a few tools that can be used for data capture and analysis. High-interaction honeypots are defined (by the authors in chapter two) as virtual machines that can provide (to the attacker or intruder) as much, or as little, functionality as you wish. A number of such machines are described, mostly in terms of installation. Overviews (and installation instructions) for a variety of specialized and limited emulators are given in chapter three. Chapter four introduces the honeyd program that is widely used for creating multiple virtual machines on a single computer. Advanced functions of honeyd are discussed in chapter five. Chapter six examines the possibilities for collecting malware with honeypots, specifically the nepenthes and honeytrap programs. Some systems for presenting apparently extensive functionality without risking the danger of a compromise are explained in chapter seven. Emulation of the activity of an active computer or Internet user (rather than a passive server) is the idea behind client honeypots as outlined in chapter eight. Indications that betray the presence or operation of a honeypot are discussed in chapter nine. Some experiences using honeypots are noted in chapter ten. Chapter eleven specifically examines the use of honeypots to discover the functions and activity of botnets. CWSandbox, a tool for the analysis of malware, is explored in chapter twelve. The classic text in the field of honeypots is, of course, "Know Your Enemy" (cf. BKKNYREN.RVW). That volume does not go into specific details of construction in the way that Spitzer's "Honeypots" (cf. BKHNYPOT.RVW) or even Grimes' "Honeypots for Windows" (cf. BKHNPTWN.RVW) does. However, between them the existing works provide a solid background, and this tome adds little to the mix. The addition of client honeypots is valuable, but the writing and explanations provide little that will be of help to those trying to use the technology. copyright Robert M. Slade, 2007 BKVRTHNP.RVW 20070930