IDS mailing list archives
RE: Protocol Anomaly Detection IDS - Honeypots
From: Jordan K Wiens <jwiens () nersp nerdc ufl edu>
Date: Fri, 21 Feb 2003 15:12:36 -0500 (EST)
The point seems to be that it's possible to be eblow-deep in someones networks with relatively 'normal' traffic the IDS won't pick up. A specifically designed web-crawler can sneak right under the radar of a typical IDS, yet it would easily be detected by a honeytoken. Slowly enumerating all users from a public LDAP directory probably won't be detected by the IDS, but a honeytoken would snag it. -- Jordan Wiens UF Network Incident Response Team (352)392-2061 On Fri, 21 Feb 2003, Rob Shein wrote:
Interesting notion, but with a few problems. My idea of a honeypot was an untrusted machine that draws fire, so to say, from an attacker. In doing so, it serves the dual roles of concentrating the attacking traffic onto a segment that is far more homogenous (in terms of activity) and therefore easier to monitor, and causing the attacker to focus on a system that will not give him access to anything of any importance. Putting "honey documents" or other data (like database entries or LDAP objects) in the midst of valid data will not draw attention away, and even if they did, detection of them wouldn't get you anything new. If your IDS sees the content that it is to look for in these documents, why wouldn't it have seen any of the attacking traffic to begin with? And either way, the bad guy is already elbows-deep in your goodies at that point.-----Original Message----- From: Augusto Paes de Barros [mailto:augusto () paesdebarros com br] Sent: Friday, February 21, 2003 6:18 AM To: focus-ids () securityfocus com Subject: RES: Protocol Anomaly Detection IDS - Honeypots Lance's point can be expanded in very interesting views. Why use only honeypots "hosts" or "nets", when whe can use accounts, documents, info, etc? I was developing an idea that I call "honeytokens", to use on Windows networks. Basically, information that shouldn't be flowing over the network and, if you can detect it, something wrong is happening. -- Augusto Paes de Barros, CISSP http://www.paesdebarros.com.br augusto () paesdebarros com br
----------------------------------------------------------- Does your IDS have Intelligent Attack Profiling? If not, see what you're missing. Download a free 15-day trial of StillSecure Border Guard. http://www.securityfocus.com/stillsecure
Current thread:
- RES: Protocol Anomaly Detection IDS - Honeypots Augusto Paes de Barros (Feb 21)
- Re: RES: Protocol Anomaly Detection IDS - Honeypots Lance Spitzner (Feb 21)
- RE: RES: Protocol Anomaly Detection IDS - Honeypots Pete Herzog (Feb 21)
- Re: RES: Protocol Anomaly Detection IDS - Honeypots dreamwvr () dreamwvr com (Feb 21)
- RE: Protocol Anomaly Detection IDS - Honeypots Rob Shein (Feb 21)
- RE: Protocol Anomaly Detection IDS - Honeypots Jordan K Wiens (Feb 21)
- RE: Protocol Anomaly Detection IDS - Honeypots Rob Shein (Feb 21)
- RE: Protocol Anomaly Detection IDS - Honeypots Jordan K Wiens (Feb 21)
- RE: Protocol Anomaly Detection IDS - Honeypots Rob Shein (Feb 21)
- RES: Protocol Anomaly Detection IDS - Honeypots Augusto Paes de Barros (Feb 21)
- RE: Protocol Anomaly Detection IDS - Honeypots Rob Shein (Feb 21)
- RE: Protocol Anomaly Detection IDS - Honeypots pbsarnac (Feb 21)
- RE: Protocol Anomaly Detection IDS - Honeypots Jordan K Wiens (Feb 21)
- Re: RES: Protocol Anomaly Detection IDS - Honeypots Lance Spitzner (Feb 21)
- <Possible follow-ups>
- Re: RES: Protocol Anomaly Detection IDS - Honeypots Mike Shaw (Feb 21)
- Re: RES: Protocol Anomaly Detection IDS - Honeypots Frank Knobbe (Feb 25)
- RE: RES: Protocol Anomaly Detection IDS - Honeypots Augusto Paes de Barros (Feb 21)