RE: Protocol Anomaly Detection IDS - Honeypots

[Jordan K Wiens <jwiens () nersp nerdc ufl edu>]

Very true; so you have to be careful where you place the IDS given those
sorts of issues; the original idea is still valid that there are lots of
good uses for honeytokens that can well supplement the 'normal' use of an
IDS.

-- 
Jordan Wiens
UF Network Incident Response Team
(352)392-2061

On Fri, 21 Feb 2003, Rob Shein wrote:

> Yeah, but if you have more than one LDAP server, and replication, you'll
> also snag other valid traffic that happens to control the objects in LDAP.
>
> > -----Original Message-----
> > From: Jordan K Wiens [mailto:jwiens () nersp nerdc ufl edu]
> > Sent: Friday, February 21, 2003 3:13 PM
> > To: Rob Shein
> > Cc: 'Augusto Paes de Barros'; focus-ids () securityfocus com
> > Subject: RE: Protocol Anomaly Detection IDS - Honeypots
> >
> >
> > The point seems to be that it's possible to be eblow-deep in
> > someones networks with relatively 'normal' traffic the IDS
> > won't pick up.  A specifically designed web-crawler can sneak
> > right under the radar of a typical IDS, yet it would easily
> > be detected by a honeytoken.  Slowly enumerating all users
> > from a public LDAP directory probably won't be detected by
> > the IDS, but a honeytoken would snag it.


-----------------------------------------------------------
Does your IDS have Intelligent Attack Profiling?
If not, see what you're missing.
Download a free 15-day trial of StillSecure Border Guard.
http://www.securityfocus.com/stillsecure