IDS mailing list archives
Re: RES: Protocol Anomaly Detection IDS - Honeypots
From: Frank Knobbe <fknobbe () knobbeits com>
Date: 22 Feb 2003 14:55:39 -0600
On Sat, 2003-02-22 at 14:32, Mike Shaw wrote:
I think you misunderstood me (or I didn't speak clearly...far more likely). A file labeled "router passwords" and a snort rule looking for those passwords on their way to routers isn't an obfuscation technique, since hopefully you don't have any real big ol router password lists hanging around your network. And you're not trying to feed them bogus info for simple deception purposes, you're feeding it because the deception is easy to detect, and there would be no deception unless someone was cracking your network. It is most definitely an attraction technique that is nearly perfect in its lack of false positives (when properly implemented). If someone starts throwing those router passwords around, there is a 99% chance there is a warm body on the other end of the wire somewhere.
Mike, I fully understand, but what I'm saying is we have to be careful not to 'bleed' this method into others. The primary goal of a honeypot is to look vulnerable and to lure hackers to exploiting it. The password file you mentioned doesn't lure people to routers, unless you advertise the file (through email, intranet sites, or posting in public file shares). The passwords in this file are used as tracers in the IDS' to spot the mischievous through use of these honeytokens. In a sense I'm agreeing with you that this the same bait'n'catch method a honeypot uses. But the pendantic, anal-retentive bastard in me says that there is probably a fine line between a bait'n'catch through documents carrying honeytokens and honeypots that bait hackers through open ports, and we have to be careful in discussion not to intertwine these two. Personally, I would consider this approach more of an Intrusion Detection technique than a honeypot. Cheers, Frank
Attachment:
signature.asc
Description: This is a digitally signed message part
Current thread:
- RE: Protocol Anomaly Detection IDS - Honeypots, (continued)
- RE: Protocol Anomaly Detection IDS - Honeypots Jordan K Wiens (Feb 21)
- RE: Protocol Anomaly Detection IDS - Honeypots Rob Shein (Feb 21)
- RES: Protocol Anomaly Detection IDS - Honeypots Augusto Paes de Barros (Feb 21)
- RE: Protocol Anomaly Detection IDS - Honeypots Rob Shein (Feb 21)
- RE: Protocol Anomaly Detection IDS - Honeypots pbsarnac (Feb 21)
- Re: RES: Protocol Anomaly Detection IDS - Honeypots Frank Knobbe (Feb 25)
- Re: RES: Protocol Anomaly Detection IDS - Honeypots Lance Spitzner (Feb 25)