IDS mailing list archives
RE: RES: Protocol Anomaly Detection IDS - Honeypots
From: "Pete Herzog" <lists () isecom org>
Date: Fri, 21 Feb 2003 18:00:14 +0100
Hi, this is something we have helped implement using webbugs in MS docs, presentations, and other openable items for an internal honeypot. When opened, they call an image off a small, private webserver which in logging gives us the local IP address of the machine and the time so we can be fairly certain who accessed it. It's used mainly for "warnings". We know it's not perfect but it works. Next we would like to use MP3s and AVIs to do the same thing when opened. With the idea of honey tokens, I think this really could go to the next level-- even so far as tracking internal reports which get e-mailed or somehow transferred (even with tunnelling) outside the company (as long as no encryption is involved). It adds a whole new paradigm to maintaining internal security and order. Sincerely, -pete. Managing Director Institute of Security and Open Methodologies www.isecom.org
-----Original Message----- From: Lance Spitzner [mailto:lance () honeynet org] Sent: Friday, February 21, 2003 5:37 PM To: Augusto Paes de Barros Cc: focus-ids () securityfocus com Subject: Re: RES: Protocol Anomaly Detection IDS - Honeypots On Fri, 21 Feb 2003, Augusto Paes de Barros wrote:Lance's point can be expanded in very interesting views. Why use only honeypots "hosts" or "nets", when whe can use accounts, documents, info, etc? I was developing an idea that I call "honeytokens", to useon Windowsnetworks. Basically, information that shouldn't be flowing overthe networkand, if you can detect it, something wrong is happening.Ohh, ooh! Very cool suggestion Augusto! This is something I never thought of. Create documents, webpages, or resources that no one should be accessing. You create these resources with specific, obvious signatures so your detections mechanisms (logs, IDS sensors, etc) can easily pick them up. If you detect these resources being moved around your network, you know something is up! For example, you create a word document that has the title of payroll or 'research and development'. You put whatever fluff you want in the document, and give it a "tracking number", such as 14A8478bG98734T90AAZ. Now, you simply create a signature looking for that "tracking number". The concept would be to create resources that no one should be accessing (the honeytoken) but is easily detectable if they do. You would have to ensure the signature, as in this case the tracking number, is unique enough that it minizimes, if not eliminate, false positives. This potentially opens a whole new world to honeypot concepts :) very cool :) lance ----------------------------------------------------------- Does your IDS have Intelligent Attack Profiling? If not, see what you're missing. Download a free 15-day trial of StillSecure Border Guard. http://www.securityfocus.com/stillsecure
----------------------------------------------------------- Does your IDS have Intelligent Attack Profiling? If not, see what you're missing. Download a free 15-day trial of StillSecure Border Guard. http://www.securityfocus.com/stillsecure
Current thread:
- RES: Protocol Anomaly Detection IDS - Honeypots Augusto Paes de Barros (Feb 21)
- Re: RES: Protocol Anomaly Detection IDS - Honeypots Lance Spitzner (Feb 21)
- RE: RES: Protocol Anomaly Detection IDS - Honeypots Pete Herzog (Feb 21)
- Re: RES: Protocol Anomaly Detection IDS - Honeypots dreamwvr () dreamwvr com (Feb 21)
- RE: Protocol Anomaly Detection IDS - Honeypots Rob Shein (Feb 21)
- RE: Protocol Anomaly Detection IDS - Honeypots Jordan K Wiens (Feb 21)
- RE: Protocol Anomaly Detection IDS - Honeypots Rob Shein (Feb 21)
- RE: Protocol Anomaly Detection IDS - Honeypots Jordan K Wiens (Feb 21)
- RE: Protocol Anomaly Detection IDS - Honeypots Rob Shein (Feb 21)
- RES: Protocol Anomaly Detection IDS - Honeypots Augusto Paes de Barros (Feb 21)
- RE: Protocol Anomaly Detection IDS - Honeypots Rob Shein (Feb 21)
- RE: Protocol Anomaly Detection IDS - Honeypots pbsarnac (Feb 21)
- RE: Protocol Anomaly Detection IDS - Honeypots Jordan K Wiens (Feb 21)
- Re: RES: Protocol Anomaly Detection IDS - Honeypots Lance Spitzner (Feb 21)