IDS mailing list archives
Re: Protocol Anomaly Detection IDS - Honeypots
From: Lance Spitzner <lance () honeynet org>
Date: Thu, 20 Feb 2003 12:58:58 -0600 (CST)
On Wed, 19 Feb 2003, Robert Graham wrote:
People have been hoping that there is some sort of magic-pill technology that solves the problem of IDS. "Protocol-anomaly detection" is one of those buzzwords that promises a magic pill.
Okay, I'll admit, to me alot of the security problems I see are nothing more then nails, and honeypots are the hammer. However, seriously, have folks considered the detection capabilities of honeypots? The reason I bring this up in this thread, is for honeypots, everything is an anamoly. The concept of a honeypot is it has no production or authorized activity. Everything it captures its way is most likely malicious activity. Not only that, but you dramaticaly reduce 'noise'. Instead of dealing with 5,000 alerts a day (not that high of a number for many organizations) a honeypot in the same environment could only generate 5 or 10 alerts a day, alerts you most likely need to take action on. These small data sets can make it far easier and cost effective to identify and act on unauthorized activity. I'm in no way suggesting that honeypots replace any existing detection technologies, I'm suggesting that can contribute. Personally, I feel the concept of deception has overshadowed the value of honeypots, when one of their true values lies in detection. lance ----------------------------------------------------------- Does your IDS have Intelligent Attack Profiling? If not, see what you're missing. Download a free 15-day trial of StillSecure Border Guard. http://www.securityfocus.com/stillsecure
Current thread:
- Re: Protocol Anomaly Detection IDS, (continued)
- Re: Protocol Anomaly Detection IDS Martin Roesch (Feb 11)
- Re: Protocol Anomaly Detection IDS Frank Knobbe (Feb 11)
- RE: Protocol Anomaly Detection IDS Sonit Jain (Feb 12)
- Re: Protocol Anomaly Detection IDS Frank Knobbe (Feb 11)
- Re: Protocol Anomaly Detection IDS Yaakov Yehudi (Feb 11)
- RE: Protocol Anomaly Detection IDS Graham, Robert (ISS Atlanta) (Feb 06)
- RE: Protocol Anomaly Detection IDS Adam Powers (Feb 06)
- Re: Protocol Anomaly Detection IDS Jordan K Wiens (Feb 06)
- RE: Protocol Anomaly Detection IDS Andrew Plato (Feb 10)
- Re: Protocol Anomaly Detection IDS Martin Roesch (Feb 18)
- Re: Protocol Anomaly Detection IDS Robert Graham (Feb 20)
- Re: Protocol Anomaly Detection IDS - Honeypots Lance Spitzner (Feb 20)
- Re: Protocol Anomaly Detection IDS - Honeypots dreamwvr () dreamwvr com (Feb 20)
- RE: Protocol Anomaly Detection IDS - Honeypots Rob Shein (Feb 20)
- Re: Protocol Anomaly Detection IDS - Honeypots dreamwvr () dreamwvr com (Feb 21)
- Re: Protocol Anomaly Detection IDS - Honeypots Gene Yoo (Feb 25)
- Re: Protocol Anomaly Detection IDS Robert Graham (Feb 20)
- Message not available
- Re: Protocol Anomaly Detection IDS - Honeypots Bob Radvanovsky (Feb 20)
- Re: Protocol Anomaly Detection IDS Martin Roesch (Feb 11)