IDS mailing list archives

RE: Protocol Anomaly Detection IDS - Honeypots

From: "Rob Shein" <shoten () starpower net>
Date: Thu, 20 Feb 2003 19:48:36 -0500

I have to agree entirely.  A lot of people think of a honeypot as something
set up to look like a wildly insecure box.  What I like to do is set one up
to look like most of the other network-available boxes, but with a slight
twist, like an open port that the others don't have.  It doesn't have to be
incredibly appealing, just a chink in the armor will draw attackers to it.
In "The Seven Samurai," the leader of the group states "Every good castle
must have a weakness in its defense."  He then uses that deliberate weakness
to lure attackers to that one spot, where he waits.  That's exactly what I
go for with a honeypot, and it works pretty darn well too :)

-----Original Message-----
From: Lance Spitzner [mailto:lance () honeynet org] 
Sent: Thursday, February 20, 2003 1:59 PM
To: Robert Graham
Cc: Focus on Intrusion Detection Systems; slyph () alum mit edu
Subject: Re: Protocol Anomaly Detection IDS - Honeypots


On Wed, 19 Feb 2003, Robert Graham wrote:

People have been hoping that there is some sort of magic-pill 
technology that solves the problem of IDS. "Protocol-anomaly 
detection" is one of those buzzwords that promises a magic pill.


Okay, I'll admit, to me alot of the security problems I see 
are nothing more then nails, and honeypots are the hammer.  
However, seriously, have folks considered the detection 
capabilities of honeypots?  The reason I bring this up in 
this thread, is for honeypots, everything is an anamoly.  The 
concept of a honeypot is it has no production or authorized 
activity.  
Everything it captures its way is most likely malicious 
activity.  Not only that, but you dramaticaly reduce 'noise'. 
 Instead of dealing with 5,000 alerts a day (not that high of 
a number for many organizations) a 
honeypot in the same environment could only generate 5 or 10 
alerts a day, 
alerts you most likely need to take action on.  These small 
data sets can make it far easier and cost effective to 
identify and act on 
unauthorized activity.

I'm in no way suggesting that honeypots replace any existing 
detection technologies, I'm suggesting that can contribute.  
Personally, I feel the concept of deception has overshadowed 
the value of honeypots, when one of their true values lies in 
detection.

lance


-----------------------------------------------------------
Does your IDS have Intelligent Attack Profiling?
If not, see what you're missing.
Download a free 15-day trial of StillSecure Border Guard. 
http://www.securityfocus.com/stillsecure



-----------------------------------------------------------
Does your IDS have Intelligent Attack Profiling?
If not, see what you're missing.
Download a free 15-day trial of StillSecure Border Guard.
http://www.securityfocus.com/stillsecure

Current thread:

RE: Protocol Anomaly Detection IDS, (continued)
- - - RE: Protocol Anomaly Detection IDS Sonit Jain (Feb 12)
- Re: Protocol Anomaly Detection IDS Yaakov Yehudi (Feb 11)
- RE: Protocol Anomaly Detection IDS Graham, Robert (ISS Atlanta) (Feb 06)
- RE: Protocol Anomaly Detection IDS Adam Powers (Feb 06)
- Re: Protocol Anomaly Detection IDS Jordan K Wiens (Feb 06)
- RE: Protocol Anomaly Detection IDS Andrew Plato (Feb 10)
- Re: Protocol Anomaly Detection IDS Martin Roesch (Feb 18)
  - Re: Protocol Anomaly Detection IDS Robert Graham (Feb 20)
    - Re: Protocol Anomaly Detection IDS - Honeypots Lance Spitzner (Feb 20)
    - Re: Protocol Anomaly Detection IDS - Honeypots dreamwvr () dreamwvr com (Feb 20)
    - RE: Protocol Anomaly Detection IDS - Honeypots Rob Shein (Feb 20)
    - Re: Protocol Anomaly Detection IDS - Honeypots dreamwvr () dreamwvr com (Feb 21)
    - Re: Protocol Anomaly Detection IDS - Honeypots Gene Yoo (Feb 25)
    - Message not available
    - Re: Protocol Anomaly Detection IDS - Honeypots Bob Radvanovsky (Feb 20)