IDS mailing list archives
Re: Honeypots, what is their limits for intrusion detection?
From: krymson () gmail com
Date: 8 Jul 2009 13:52:33 -0000
I'll first say that honeypots are not a substitute for a decent IDS/IPS posture, or network analysis/server protection. I consider honeypot use an advanced technology that has only minimal value to most shops. To answer your question, a honeypot will be able to detect two things: - automated attacks that include your honeypot/net - manual attacks that include your honeypot/net Note that if a manual attack starts attacking your web servers and if they don't find the honeypot, then the honeypot is worthless to you and won't help you detect the ongoing intrusions. You won't know anything or be able to make any conclusions based on a quiet honeypot or which attacks it missed since you can never have the whole picture. It might sound like I'm ragging on honeypot concepts, but I'm just trying to bound the value of it. There *is* value in it, but it is limited. 1. If you have a specific interest in examining the tools attackers use or capture and analyze malware, honeypots are possibly invaluable to you. However, most organizations simply neither care nor have the spare manhours to devote to such endeavors. No harm there; most admins don't get anything from analyzing that stuff on company time. If you donate such captured stuff to companies who do specialize in that, then maybe you can see some value in giving back to the community to make everything more secure... 2. Honeypot concepts tend to "borrow" the value of monitoring your dead network space for traffic as one reason to use honeypots. I don't buy that specifically, but there is value in monitoring your dead space on the network. If you have unused IP addresses and someone does a recon sweep of your IP block, you'll see that traffic trying to find your dead space. There should only be few (if any) legitimate reasons for your dead space to be scanned or poked at. This is the biggest value, but is not necessarily something that honeypot technology alone will provide. You can do this in other ways. It's kinda like making a miniature house inside a window on your house that you leave unlocked so when an attacker climbs in, they're just in this fake house and not your own...that way you can watch what they do and where they look for your valuables. (Any MacGyver fans?) Most people only care that someone is getting into their window, and so put alarm on it. All the rest is not of value to most people. All of that said, if you have an interest in it, I certainly wouldn't discourage getting into it. You, as a person, can learn a lot just by setting it up and catching some things, most probably automated unless you have something of value hanging out there for manual attackers. Just, most corporations have little need for it. <- snip -> Hi, I have a newbie question related to intrusion detection. It was suggested to me that Honeypots only catches automated attacks, is that true? How can we know which attacks are not caught? Is there any papers on what sort of attacks are caught by using honeypots? Regards Tomas ----------------------------------------------------------------- Securing Your Online Data Transfer with SSL. A guide to understanding SSL certificates, how they operate and their application. By making use of an SSL certificate on your web server, you can securely collect sensitive information online, and increase business by giving your customers confidence that their transactions are safe. http://www.dinclinx.com/Redirect.aspx?36;5001;25;1371;0;1;946;9a80e04e1a17f194
Current thread:
- Honeypots, what is their limits for intrusion detection? Tomas Olsson (Jul 01)
- Re: Honeypots, what is their limits for intrusion detection? Albert Gonzalez (Jul 02)
- Re: Honeypots, what is their limits for intrusion detection? r00t (Jul 02)
- <Possible follow-ups>
- Re: Honeypots, what is their limits for intrusion detection? krymson (Jul 08)