You want discussion, so I'll throw a hand in.
What security benefit is there to "trapping attackers" and/or watching their
behavior/action? I think that may make great research, but I'm not sure how
many people or organizations will benefit from that added knowledge. Will it
make the organization more secure?
The other side of this is giving attackers an easy target to trigger your
alarms so you know they're present. This is a basic tripwire type of alarm.
Only instead of alarming on actual valuable stuff, you'll get many more
positive hits because you're alarming on giveaway stuff. Maybe this will alert
before your jewels are stolen, but again the value/time side of this is still
arguable.
I'm certainly no expert, but if you make this too easy, are you opening
yourself up to entrapment, or at the very least the inability to prosecute if
you seemingly welcomed the intruder in? I really don't know, but I'm sure
others do.
This isn't to say I want to discourage your work here. I think you should
continue to pursue it. While I might speak about alarming only on the things
you're trying to protect, I do tend to be a network control freak and prefer
the heartbeat of my network close at my fingertips...and alarming on even
smaller things is useful information to alert me to potential problems early.
Soapbox: I think it is dangerous to speak too highly of honeypots or
honeypot-like tripwires. While I do believe in their value for research and
curiosity, honeypots in an organization can be extremely dangerous when tended
by non-experts. Besides, there are so many more valuable tasks to do in most
orgs.
<- snip ->
------------------------------------------------------------------------
This list is sponsored by: Cenzic
Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!
http://www.cenzic.com/downloads
------------------------------------------------------------------------
