IDS mailing list archives
RE: Protocol Anomaly Detection IDS - Honeypots
From: pbsarnac () thoughtworks com
Date: Fri, 21 Feb 2003 16:55:54 -0600
I think you're trying too hard to find negatives with the system. There are many situations where this would not be an acceptable tool, however there are many situations where this could be invaluable. It seems perfectly suited for detecting insider attacks, especially against high-risk and high-value servers that by their very nature require higher levels of protection and can therefore justify higher levels of effort and time. In the end, this is simply one more tool for our toolboxes, and shouldn't be considered as a solution in and of itself. |---------+----------------------------> | | "Rob Shein" | | | <shoten@starpower| | | .net> | | | | | | 02/21/2003 04:07 | | | PM | |---------+---------------------------->
--------------------------------------------------------------------------------------------------------------------------|
| | | To: "'Augusto Paes de Barros'" <augusto () paesdebarros com br>, "'Jordan K Wiens'" <jwiens () nersp nerdc ufl edu>| | cc: <focus-ids () securityfocus com> | | Subject: RE: Protocol Anomaly Detection IDS - Honeypots |
--------------------------------------------------------------------------------------------------------------------------|
At what point does this concept get too unwieldy? In this scenario, people have to have knowledge of the various types of LDAP traffic (and know how to differentiate them on the wire) in order to write the rules to catch a single type of honeytoken. I certainly don't have that breadth of knowledge, and I've learned how to do a whole lot of different things. There are workarounds for almost anything under the sun, but some of them require workarounds that make them infeasible. I think the overhead in terms of administration and and braintrust that would be needed to seed an enterprise with such granular honey-things is better spent on other ways of securing that enterprise.
-----Original Message----- From: Augusto Paes de Barros [mailto:augusto () paesdebarros com br] Sent: Friday, February 21, 2003 4:56 PM To: 'Rob Shein'; 'Jordan K Wiens' Cc: focus-ids () securityfocus com Subject: RES: Protocol Anomaly Detection IDS - Honeypots True! But you can configure the rule on the IDS to catch the honeytoken on all traffic BUT the traffic between the servers. []s Augusto Paes de Barros, CISSP www.paesdebarros.com.br -----Mensagem original----- De: Rob Shein [mailto:shoten () starpower net] Enviada em: sexta-feira, 21 de fevereiro de 2003 17:46 Para: 'Jordan K Wiens' Cc: 'Augusto Paes de Barros'; focus-ids () securityfocus com Assunto: RE: Protocol Anomaly Detection IDS - Honeypots Yeah, but if you have more than one LDAP server, and replication, you'll also snag other valid traffic that happens to control the objects in LDAP.-----Original Message----- From: Jordan K Wiens [mailto:jwiens () nersp nerdc ufl edu] Sent: Friday, February 21, 2003 3:13 PM To: Rob Shein Cc: 'Augusto Paes de Barros'; focus-ids () securityfocus com Subject: RE: Protocol Anomaly Detection IDS - Honeypots The point seems to be that it's possible to be eblow-deepin someonesnetworks with relatively 'normal' traffic the IDS won't pick up. A specifically designed web-crawler can sneak right under theradar of atypical IDS, yet it would easily be detected by ahoneytoken. Slowlyenumerating all users from a public LDAP directory probablywon't bedetected by the IDS, but a honeytoken would snag it. -- Jordan Wiens UF Network Incident Response Team (352)392-2061 On Fri, 21 Feb 2003, Rob Shein wrote:Interesting notion, but with a few problems. My idea ofa honeypotwas an untrusted machine that draws fire, so to say, froman attacker.In doing so, it serves the dual roles of concentrating theattackingtraffic onto a segment that is far more homogenous (in terms of activity) and therefore easier to monitor, and causing theattacker tofocus on a system that will not give him access toanything of anyimportance. Putting "honey documents" or other data(like databaseentries or LDAP objects) in the midst of valid data will not draw attention away, and even if they did, detection of themwouldn't getyou anything new. If your IDS sees the content that it isto look forin these documents, why wouldn't it have seen any of theattackingtraffic to begin with? And either way, the bad guy is already elbows-deep in your goodies at that point.-----Original Message----- From: Augusto Paes de Barros[mailto:augusto () paesdebarros com br]Sent: Friday,February 21, 2003 6:18 AMTo: focus-ids () securityfocus com Subject: RES: Protocol Anomaly Detection IDS - Honeypots Lance's point can be expanded in very interestingviews. Why useonly honeypots "hosts" or "nets", when whe can use accounts, documents, info, etc? I was developing an idea that I call "honeytokens", to use on Windows networks. Basically,informationthat shouldn't be flowing over the network and, if youcan detectit, something wrong is happening. -- Augusto Paes de Barros, CISSP http://www.paesdebarros.com.br augusto () paesdebarros com br----------------------------------------------------------- Does your IDS have Intelligent Attack Profiling? If not, see what you're missing. Download a free 15-day trial of StillSecure Border Guard. http://www.securityfocus.com/stillsecure
----------------------------------------------------------- Does your IDS have Intelligent Attack Profiling? If not, see what you're missing. Download a free 15-day trial of StillSecure Border Guard. http://www.securityfocus.com/stillsecure ----------------------------------------------------------- Does your IDS have Intelligent Attack Profiling? If not, see what you're missing. Download a free 15-day trial of StillSecure Border Guard. http://www.securityfocus.com/stillsecure
Current thread:
- Re: RES: Protocol Anomaly Detection IDS - Honeypots, (continued)
- Re: RES: Protocol Anomaly Detection IDS - Honeypots Lance Spitzner (Feb 21)
- RE: RES: Protocol Anomaly Detection IDS - Honeypots Pete Herzog (Feb 21)
- Re: RES: Protocol Anomaly Detection IDS - Honeypots dreamwvr () dreamwvr com (Feb 21)
- RE: Protocol Anomaly Detection IDS - Honeypots Rob Shein (Feb 21)
- RE: Protocol Anomaly Detection IDS - Honeypots Jordan K Wiens (Feb 21)
- RE: Protocol Anomaly Detection IDS - Honeypots Rob Shein (Feb 21)
- RE: Protocol Anomaly Detection IDS - Honeypots Jordan K Wiens (Feb 21)
- RE: Protocol Anomaly Detection IDS - Honeypots Rob Shein (Feb 21)
- RES: Protocol Anomaly Detection IDS - Honeypots Augusto Paes de Barros (Feb 21)
- RE: Protocol Anomaly Detection IDS - Honeypots Rob Shein (Feb 21)
- RE: Protocol Anomaly Detection IDS - Honeypots pbsarnac (Feb 21)
- RE: Protocol Anomaly Detection IDS - Honeypots Jordan K Wiens (Feb 21)
- Re: RES: Protocol Anomaly Detection IDS - Honeypots Lance Spitzner (Feb 21)
- Re: RES: Protocol Anomaly Detection IDS - Honeypots Frank Knobbe (Feb 25)
- Re: RES: Protocol Anomaly Detection IDS - Honeypots Lance Spitzner (Feb 25)