Honeypots mailing list archives
Re: search for master of science project topic
From: Packet Man <packetman () altsec info>
Date: Fri, 14 Oct 2005 12:20:26 -0500
gangadhar npk wrote:
It seems to be a very interesting thought. Correct me if I am wrong in understanding this - the basic premise is that, once the 'monitor' identifies a process that is not conforming to the usual practice (say via anamoly detection), it silently transfers the process image to a honeypot - without disruption of anysort and the process runs within the honeypot (a VM, in all probability).May be initially one can only take care of the socket connections, and then move to the part of file handles, memmaps and others. Was this attempted before - I don't know, hence the question. Thanks Gangadhar -----Original Message----- From: "Payton, Zack" <Zack.Payton () MWAA com> To: <dewadedw () yahoo com>, <honeypots () securityfocus com> Date: Tue, 11 Oct 2005 11:09:17 -0400 Subject: RE: search for master of science project topic Sure, What about writing a paper about the best way to monitor processes on a production box and processes transfer and tcp redirect to honeypot in event of anomaly. Zack
I think that's an intruiging idea.
It melds intrusion protection with a honeypot, one that
would require re-engineering a honeypot.
Zack, if I get you right, the following would occur:
1. IDS detects suspicious/malicious traffic
2. The connection state would be transferred to the honeypot
3. The connection route would be redirected to the honeypot
4. The honeypot would spoof the original host and start gathering
data
I'm not sure of the usefulness/feasibility though.
It would surely require a HIDS client on the target that (A)
works with the IDS and honeypot to effect a transfer of
connection and state data, and (B) responds to IPS/IDS
warnings to not go through with data transfer.
Now, as a vast improvement to typical firewall and IPS
behavior, I think it's a cool idea to have an IDS/IPS effect
a transfer of a connection from the actual targeted host
to a honeypot, instead of simply dropping the traffic.
Such a system would expand the scope of honeypot data
collection to actively taking over connections or attempted
connections from other systems, rather than sitting there
passively waiting for traffic only on its delegated network
address space.
In addition, I think it would be interesting to try this
technique with takeover of an encrypted connection.
It's worth exploring, discussing.
My .02 cents worth.
--
Excellence in InfoSec and Linux
http://www.altsec.info
Current thread:
- search for master of science project topic dewadedw (Oct 09)
- 100% CPU utilization ???? George Kryparos (Oct 12)
- <Possible follow-ups>
- RE: search for master of science project topic Payton, Zack (Oct 11)
- Re: search for master of science project topic Valdis . Kletnieks (Oct 11)
- Re: search for master of science project topic NAHieu (Oct 12)
- Re: search for master of science project topic Valdis . Kletnieks (Oct 12)
- Re: search for master of science project topic Valdis . Kletnieks (Oct 11)
- Re: RE: search for master of science project topic gangadhar npk (Oct 14)
- Re: search for master of science project topic Packet Man (Oct 14)
- RE: search for master of science project topic Stejerean, Cosmin (Oct 14)
- Re: search for master of science project topic Harry Hoffman (Oct 14)
- Re: search for master of science project topic Nomellames nunca (Oct 16)
- Re: search for master of science project topic Harry Hoffman (Oct 14)