RE: Protocol Anomaly Detection IDS - Honeypots

["Rob Shein" <shoten () starpower net>]

Interesting notion, but with a few problems.  My idea of a honeypot was an
untrusted machine that draws fire, so to say, from an attacker.  In doing
so, it serves the dual roles of concentrating the attacking traffic onto a
segment that is far more homogenous (in terms of activity) and therefore
easier to monitor, and causing the attacker to focus on a system that will
not give him access to anything of any importance.  Putting "honey
documents" or other data (like database entries or LDAP objects) in the
midst of valid data will not draw attention away, and even if they did,
detection of them wouldn't get you anything new.  If your IDS sees the
content that it is to look for in these documents, why wouldn't it have seen
any of the attacking traffic to begin with?  And either way, the bad guy is
already elbows-deep in your goodies at that point.

> -----Original Message-----
> From: Augusto Paes de Barros [mailto:augusto () paesdebarros com br] 
> Sent: Friday, February 21, 2003 6:18 AM
> To: focus-ids () securityfocus com
> Subject: RES: Protocol Anomaly Detection IDS - Honeypots
>
>
> Lance's point can be expanded in very interesting views. Why 
> use only honeypots "hosts" or "nets", when whe can use 
> accounts, documents, info, etc? I was developing an idea that 
> I call "honeytokens", to use on Windows networks. Basically, 
> information that shouldn't be flowing over the network and, 
> if you can detect it, something wrong is happening.
>
> --
> Augusto Paes de Barros, CISSP
> http://www.paesdebarros.com.br
> augusto () paesdebarros com br
>
>
>
> -----Mensagem original-----
> De: Lance Spitzner [mailto:lance () honeynet org]
> Enviada em: quinta-feira, 20 de fevereiro de 2003 15:59
> Para: Robert Graham
> Cc: Focus on Intrusion Detection Systems; slyph () alum mit edu
> Assunto: Re: Protocol Anomaly Detection IDS - Honeypots
>
>
> On Wed, 19 Feb 2003, Robert Graham wrote:
>
> > People have been hoping that there is some sort of magic-pill 
> > technology
> that
> > solves the problem of IDS. "Protocol-anomaly detection" is one of 
> > those buzzwords that promises a magic pill.
>
> Okay, I'll admit, to me alot of the security problems I see 
> are nothing more then nails, and honeypots are the hammer.  
> However, seriously, have folks considered the detection 
> capabilities of honeypots?  The reason I bring this up in 
> this thread, is for honeypots, everything is an anamoly.  The 
> concept of a honeypot is it has no production or authorized 
> activity. Everything it captures its way is most likely 
> malicious activity.  Not only that, but you dramaticaly 
> reduce 'noise'.  Instead of dealing with 5,000 alerts a day 
> (not that high of a number for many organizations) a honeypot 
> in the same environment could only generate 5 or 10 alerts a 
> day, alerts you most likely need to take action on.  These 
> small data sets can make it far easier and cost effective to 
> identify and act on unauthorized activity.
>
> I'm in no way suggesting that honeypots replace any existing 
> detection technologies, I'm suggesting that can contribute.  
> Personally, I feel the concept of deception has overshadowed 
> the value of honeypots, when one of their true values lies in 
> detection.
>
> lance
>
>
> -----------------------------------------------------------
> Does your IDS have Intelligent Attack Profiling?
> If not, see what you're missing.
> Download a free 15-day trial of StillSecure Border Guard. 
> http://www.securityfocus.com/stillsecure
>
>
>
> -----------------------------------------------------------
> Does your IDS have Intelligent Attack Profiling?
> If not, see what you're missing.
> Download a free 15-day trial of StillSecure Border Guard. 
> http://www.securityfocus.com/stillsecure


-----------------------------------------------------------
Does your IDS have Intelligent Attack Profiling?
If not, see what you're missing.
Download a free 15-day trial of StillSecure Border Guard.
http://www.securityfocus.com/stillsecure