IDS mailing list archives
Re: RES: Protocol Anomaly Detection IDS - Honeypots
From: Marc Benoit <marc () corsanet com>
Date: 21 Feb 2003 23:30:59 -0000
In-Reply-To: <20030221131510.29145.qmail () mail securityfocus com> This basic theory is laid out very well in Activescout by Forescout which is a technology that we rely on internally. A potential intruder performs reconnaissance on your network, the scout picks it up and responds with marked packets representing fictitious honeytokens which you can then act on when they come back with the goods. It works on any network with no falsies and up to much greater speeds than we require. -Marc
Lance's point can be expanded in very interesting views. Why use only honeypots "hosts" or "nets", when whe can use accounts, documents, info, etc? I was developing an idea that I call "honeytokens", to use on Windows networks. Basically, information that shouldn't be flowing over the network and, if you can detect it, something wrong is happening.
----------------------------------------------------------- Does your IDS have Intelligent Attack Profiling? If not, see what you're missing. Download a free 15-day trial of StillSecure Border Guard. http://www.securityfocus.com/stillsecure
Current thread:
- RE: Protocol Anomaly Detection IDS - Honeypots, (continued)
- RE: Protocol Anomaly Detection IDS - Honeypots Rob Shein (Feb 21)
- RE: Protocol Anomaly Detection IDS - Honeypots Jordan K Wiens (Feb 21)
- RE: Protocol Anomaly Detection IDS - Honeypots Rob Shein (Feb 21)
- RES: Protocol Anomaly Detection IDS - Honeypots Augusto Paes de Barros (Feb 21)
- RE: Protocol Anomaly Detection IDS - Honeypots Rob Shein (Feb 21)
- RE: Protocol Anomaly Detection IDS - Honeypots pbsarnac (Feb 21)
- Re: RES: Protocol Anomaly Detection IDS - Honeypots Frank Knobbe (Feb 25)
- Re: RES: Protocol Anomaly Detection IDS - Honeypots Lance Spitzner (Feb 25)