Re: RES: Protocol Anomaly Detection IDS - Honeypots

[Frank Knobbe <fknobbe () knobbeits com>]

On Sat, 2003-02-22 at 14:32, Mike Shaw wrote:

> I think you misunderstood me (or I didn't speak clearly...far more likely). A file labeled "router passwords" and a 
> snort rule looking for those passwords on their way to routers isn't an obfuscation technique, since hopefully you 
> don't have any real big ol router password lists hanging around your network. And you're not trying to feed them 
> bogus info for simple deception purposes, you're feeding it because the deception is easy to detect, and there would 
> be no deception unless someone was cracking your network. 
>
> It is most definitely an attraction technique that is nearly perfect in its lack of false positives (when properly 
> implemented). If someone starts throwing those router passwords around, there is a 99% chance there is a warm body on 
> the other end of the wire somewhere. 

Mike,

I fully understand, but what I'm saying is we have to be careful not to
'bleed' this method into others. The primary goal of a honeypot is to
look vulnerable and to lure hackers to exploiting it. The password file
you mentioned doesn't lure people to routers, unless you advertise the
file (through email, intranet sites, or posting in public file shares).
The passwords in this file are used as tracers in the IDS' to spot the
mischievous through use of these honeytokens. 

In a sense I'm agreeing with you that this the same bait'n'catch method
a honeypot uses. But the pendantic, anal-retentive bastard in me says
that there is probably a fine line between a bait'n'catch through
documents carrying honeytokens and honeypots that bait hackers through
open ports, and we have to be careful in discussion not to intertwine
these two. Personally, I would consider this approach more of an
Intrusion Detection technique than a honeypot.

Cheers,
Frank

Attachment: signature.asc
Description: This is a digitally signed message part