Re: Protocol Anomaly Detection IDS - Honeypots

["dreamwvr () dreamwvr com" <dreamwvr () dreamwvr com>]

On Thu, Feb 20, 2003 at 12:58:58PM -0600, Lance Spitzner wrote:
> I'm in no way suggesting that honeypots replace any existing detection
> technologies, I'm suggesting that can contribute.  Personally, I feel
> the concept of deception has overshadowed the value of honeypots, when
> one of their true values lies in detection.
Lance, 
     I would agree 100% for old times sake. 99% otherwise;-)
I have been pondering this for a while. The idea I have had is 
to marry the two. For testing purposes I like the idea of a 
as per normal running snort. Then using a cd or whatever your 
comfortable with on the same grid run your honeypot. Then
combine the assessment. There is the real risk incurred
by having the honeypot living on the same device but this way
you see sort of both perspectives. Doing the analysis would 
be interesting. AFAIK this is nothing new you would know 
better than me. This most likely should be separate with a 
analysis engine somewhere else. It is a valid idea IMO.

Best Regards,
dreamwvr () dreamwvr com

-- 
/*  Security is a work in progress - dreamwvr                 */
#                                                             
# Note: To begin Journey type man afterboot,man help,man hier[.]      
#                                                             
// "Who's Afraid of Schrodinger's Cat?" /var/(.)?mail/me \?  ;-]

-----------------------------------------------------------
Does your IDS have Intelligent Attack Profiling?
If not, see what you're missing.
Download a free 15-day trial of StillSecure Border Guard.
http://www.securityfocus.com/stillsecure