Honeypots mailing list archives
Re: Honeytokens and detection
From: george chamales <george () overt org>
Date: Fri, 4 Apr 2003 15:51:33 -0600
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
One problem I see with the whole concept is that if I was the other side,I'd be using an encrypted tunnel to grab the info.
I think that relying on network traffic is the wrong way to handle this. I suggest having hooks set up on the host itself that monitor when the "token" is opened, read, modified, etc. In effect, real-time file integrity checking/tripwire on the fly. With a bit of work the integrity checking could be hidden from all the users on the system and alerts could be sent covertly off of the host.
All in all, I really like the idea. george -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (Darwin) iD8DBQE+jf5v52U0zfoU/mIRAhmtAJwO/WLfH78n03VDgfDXDWK7XYWD9gCcCZ2S XJC0wH05H4zYIdtFC99ZX/g= =oBwN -----END PGP SIGNATURE-----
Current thread:
- Honeytokens and detection Lance Spitzner (Apr 03)
- Re: Honeytokens and detection Bram Matthys (Syzop) (Apr 03)
- Re: Honeytokens and detection Brian Hatch (Apr 03)
- Re: Honeytokens and detection Jeremy Bennett (Apr 03)
- Re: Honeytokens and detection Brian Hatch (Apr 03)
- Re: Honeytokens and detection Jeremy Bennett (Apr 03)
- Re: Honeytokens and detection Bojan Zdrnja (Apr 03)
- RE: Honeytokens and detection Andrew Hintz (Drew) (Apr 04)
- <Possible follow-ups>
- RE: Honeytokens and detection Beau Monday (Apr 03)
- RE: Honeytokens and detection LAVELLE,MICHAEL (HP-PaloAlto,ex1) (Apr 04)
- RE: Honeytokens and detection Glenn_Everhart (Apr 04)
- Re: Honeytokens and detection george chamales (Apr 04)
- Re[2]: Honeytokens and detection Bojan Zdrnja (Apr 05)
- Re: Honeytokens and detection andre (Apr 05)
- Re: Honeytokens and detection george chamales (Apr 05)
- Re[2]: Honeytokens and detection Bojan Zdrnja (Apr 05)
- Re: Honeytokens and detection Jack Whitsitt (jofny) (Apr 05)
- FW: Honeytokens and detection TimTim (Apr 06)