Honeypots mailing list archives
Re: Honeytokens and detection
From: "Bram Matthys \(Syzop\)" <syz () dds nl>
Date: Fri, 04 Apr 2003 01:32:02 +0200
[I usually don't give out information about my quite original honeypot kernel modules, but let's make an exception today ;)] Hi, Lance Spitzner wrote:
I was thinking that Honeytokes could be used for detecting when such data was compromised/stolen. Inside each database Honeytoken numbers are inserted. These tokens are known to have no value, no one should be using them.Detection mechanisms such as IDS signatures are then created to look for and detect these tokens being access or used.
it's not exactly the same, but... I once created a kernel module which monitored unlink()'s. I then created ~10 useless files all over the filesystem and if a unlink() was called for one of them, the system would halt[*]. The idea is/was to use these "traps" against "rm -rf /" alike things. Of course this doesnt defend against dd if=/dev/zero of=/dev/hda, but it can have some use. It also doesn't rely on a special /bin/rm binary since it could have been replaced by the attacker. I think such "traps" can be quite usefull at host level, at network level it wouldn't get detected if the hacker uses ssh/scp/sftp[**]/etc. Of course you can just use both. Bram Matthys (Syzop). [*]: I don't recommend such an action at a production machine ;). [**]: with own (host)key.
Current thread:
- Honeytokens and detection Lance Spitzner (Apr 03)
- Re: Honeytokens and detection Bram Matthys (Syzop) (Apr 03)
- Re: Honeytokens and detection Brian Hatch (Apr 03)
- Re: Honeytokens and detection Jeremy Bennett (Apr 03)
- Re: Honeytokens and detection Brian Hatch (Apr 03)
- Re: Honeytokens and detection Jeremy Bennett (Apr 03)
- Re: Honeytokens and detection Bojan Zdrnja (Apr 03)
- RE: Honeytokens and detection Andrew Hintz (Drew) (Apr 04)
- <Possible follow-ups>
- RE: Honeytokens and detection Beau Monday (Apr 03)
- RE: Honeytokens and detection LAVELLE,MICHAEL (HP-PaloAlto,ex1) (Apr 04)
- RE: Honeytokens and detection Glenn_Everhart (Apr 04)
- Re: Honeytokens and detection george chamales (Apr 04)
- Re[2]: Honeytokens and detection Bojan Zdrnja (Apr 05)
(Thread continues...)