RES: Protocol Anomaly Detection IDS - Honeypots

["Augusto Paes de Barros" <augusto () paesdebarros com br>]

True! But you can configure the rule on the IDS to catch the honeytoken
on all traffic BUT the traffic between the servers.

[]s
Augusto Paes de Barros, CISSP
www.paesdebarros.com.br
 

-----Mensagem original-----
De: Rob Shein [mailto:shoten () starpower net] 
Enviada em: sexta-feira, 21 de fevereiro de 2003 17:46
Para: 'Jordan K Wiens'
Cc: 'Augusto Paes de Barros'; focus-ids () securityfocus com
Assunto: RE: Protocol Anomaly Detection IDS - Honeypots


Yeah, but if you have more than one LDAP server, and replication, you'll
also snag other valid traffic that happens to control the objects in
LDAP.

> -----Original Message-----
> From: Jordan K Wiens [mailto:jwiens () nersp nerdc ufl edu]
> Sent: Friday, February 21, 2003 3:13 PM
> To: Rob Shein
> Cc: 'Augusto Paes de Barros'; focus-ids () securityfocus com
> Subject: RE: Protocol Anomaly Detection IDS - Honeypots
>
>
> The point seems to be that it's possible to be eblow-deep in
> someones networks with relatively 'normal' traffic the IDS 
> won't pick up.  A specifically designed web-crawler can sneak 
> right under the radar of a typical IDS, yet it would easily 
> be detected by a honeytoken.  Slowly enumerating all users 
> from a public LDAP directory probably won't be detected by 
> the IDS, but a honeytoken would snag it.
>
> --
> Jordan Wiens
> UF Network Incident Response Team
> (352)392-2061
>
> On Fri, 21 Feb 2003, Rob Shein wrote:
>
> > Interesting notion, but with a few problems.  My idea of a honeypot
> > was an untrusted machine that draws fire, so to say, from 
> an attacker.
> > In doing so, it serves the dual roles of concentrating the
> attacking
> > traffic onto a segment that is far more homogenous (in terms of
> > activity) and therefore easier to monitor, and causing the 
> attacker to
> > focus on a system that will not give him access to anything of any
> > importance.  Putting "honey documents" or other data (like database 
> > entries or LDAP objects) in the midst of valid data will not draw 
> > attention away, and even if they did, detection of them 
> wouldn't get
> > you anything new.  If your IDS sees the content that it is
> to look for
> > in these documents, why wouldn't it have seen any of the attacking
> > traffic to begin with?  And either way, the bad guy is already 
> > elbows-deep in your goodies at that point.
> >
> > > -----Original Message-----
> > > From: Augusto Paes de Barros [mailto:augusto () paesdebarros com br]
> > > Sent: Friday, February 21, 2003 6:18 AM
> > > To: focus-ids () securityfocus com
> > > Subject: RES: Protocol Anomaly Detection IDS - Honeypots
> > >
> > >
> > > Lance's point can be expanded in very interesting views. Why use
> > > only honeypots "hosts" or "nets", when whe can use accounts, 
> > > documents, info, etc? I was developing an idea that I call 
> > > "honeytokens", to use on Windows networks. Basically, information 
> > > that shouldn't be flowing over the network and, if you can detect 
> > > it, something wrong is happening.
> > >
> > > --
> > > Augusto Paes de Barros, CISSP http://www.paesdebarros.com.br 
> > > augusto () paesdebarros com br



-----------------------------------------------------------
Does your IDS have Intelligent Attack Profiling?
If not, see what you're missing.
Download a free 15-day trial of StillSecure Border Guard.
http://www.securityfocus.com/stillsecure