IDS mailing list archives
RE: Protocol Anomaly Detection IDS - Honeypots
From: Jordan K Wiens <jwiens () nersp nerdc ufl edu>
Date: Fri, 21 Feb 2003 16:36:26 -0500 (EST)
Very true; so you have to be careful where you place the IDS given those sorts of issues; the original idea is still valid that there are lots of good uses for honeytokens that can well supplement the 'normal' use of an IDS. -- Jordan Wiens UF Network Incident Response Team (352)392-2061 On Fri, 21 Feb 2003, Rob Shein wrote:
Yeah, but if you have more than one LDAP server, and replication, you'll also snag other valid traffic that happens to control the objects in LDAP.-----Original Message----- From: Jordan K Wiens [mailto:jwiens () nersp nerdc ufl edu] Sent: Friday, February 21, 2003 3:13 PM To: Rob Shein Cc: 'Augusto Paes de Barros'; focus-ids () securityfocus com Subject: RE: Protocol Anomaly Detection IDS - Honeypots The point seems to be that it's possible to be eblow-deep in someones networks with relatively 'normal' traffic the IDS won't pick up. A specifically designed web-crawler can sneak right under the radar of a typical IDS, yet it would easily be detected by a honeytoken. Slowly enumerating all users from a public LDAP directory probably won't be detected by the IDS, but a honeytoken would snag it.
----------------------------------------------------------- Does your IDS have Intelligent Attack Profiling? If not, see what you're missing. Download a free 15-day trial of StillSecure Border Guard. http://www.securityfocus.com/stillsecure
Current thread:
- RES: Protocol Anomaly Detection IDS - Honeypots Augusto Paes de Barros (Feb 21)
- Re: RES: Protocol Anomaly Detection IDS - Honeypots Lance Spitzner (Feb 21)
- RE: RES: Protocol Anomaly Detection IDS - Honeypots Pete Herzog (Feb 21)
- Re: RES: Protocol Anomaly Detection IDS - Honeypots dreamwvr () dreamwvr com (Feb 21)
- RE: Protocol Anomaly Detection IDS - Honeypots Rob Shein (Feb 21)
- RE: Protocol Anomaly Detection IDS - Honeypots Jordan K Wiens (Feb 21)
- RE: Protocol Anomaly Detection IDS - Honeypots Rob Shein (Feb 21)
- RE: Protocol Anomaly Detection IDS - Honeypots Jordan K Wiens (Feb 21)
- RE: Protocol Anomaly Detection IDS - Honeypots Rob Shein (Feb 21)
- RES: Protocol Anomaly Detection IDS - Honeypots Augusto Paes de Barros (Feb 21)
- RE: Protocol Anomaly Detection IDS - Honeypots Rob Shein (Feb 21)
- RE: Protocol Anomaly Detection IDS - Honeypots pbsarnac (Feb 21)
- RE: Protocol Anomaly Detection IDS - Honeypots Jordan K Wiens (Feb 21)
- Re: RES: Protocol Anomaly Detection IDS - Honeypots Lance Spitzner (Feb 21)
- <Possible follow-ups>
- Re: RES: Protocol Anomaly Detection IDS - Honeypots Mike Shaw (Feb 21)
- Re: RES: Protocol Anomaly Detection IDS - Honeypots Frank Knobbe (Feb 25)
- RE: RES: Protocol Anomaly Detection IDS - Honeypots Augusto Paes de Barros (Feb 21)
- Re: RES: Protocol Anomaly Detection IDS - Honeypots Marc Benoit (Feb 21)
- Re: RES: Protocol Anomaly Detection IDS - Honeypots Frank Knobbe (Feb 25)