IDS mailing list archives
Re: RES: Protocol Anomaly Detection IDS - Honeypots
From: Lance Spitzner <lance () honeynet org>
Date: Fri, 21 Feb 2003 10:36:56 -0600 (CST)
On Fri, 21 Feb 2003, Augusto Paes de Barros wrote:
Lance's point can be expanded in very interesting views. Why use only honeypots "hosts" or "nets", when whe can use accounts, documents, info, etc? I was developing an idea that I call "honeytokens", to use on Windows networks. Basically, information that shouldn't be flowing over the network and, if you can detect it, something wrong is happening.
Ohh, ooh! Very cool suggestion Augusto! This is something I never thought of. Create documents, webpages, or resources that no one should be accessing. You create these resources with specific, obvious signatures so your detections mechanisms (logs, IDS sensors, etc) can easily pick them up. If you detect these resources being moved around your network, you know something is up! For example, you create a word document that has the title of payroll or 'research and development'. You put whatever fluff you want in the document, and give it a "tracking number", such as 14A8478bG98734T90AAZ. Now, you simply create a signature looking for that "tracking number". The concept would be to create resources that no one should be accessing (the honeytoken) but is easily detectable if they do. You would have to ensure the signature, as in this case the tracking number, is unique enough that it minizimes, if not eliminate, false positives. This potentially opens a whole new world to honeypot concepts :) very cool :) lance ----------------------------------------------------------- Does your IDS have Intelligent Attack Profiling? If not, see what you're missing. Download a free 15-day trial of StillSecure Border Guard. http://www.securityfocus.com/stillsecure
Current thread:
- RES: Protocol Anomaly Detection IDS - Honeypots Augusto Paes de Barros (Feb 21)
- Re: RES: Protocol Anomaly Detection IDS - Honeypots Lance Spitzner (Feb 21)
- RE: RES: Protocol Anomaly Detection IDS - Honeypots Pete Herzog (Feb 21)
- Re: RES: Protocol Anomaly Detection IDS - Honeypots dreamwvr () dreamwvr com (Feb 21)
- RE: Protocol Anomaly Detection IDS - Honeypots Rob Shein (Feb 21)
- RE: Protocol Anomaly Detection IDS - Honeypots Jordan K Wiens (Feb 21)
- RE: Protocol Anomaly Detection IDS - Honeypots Rob Shein (Feb 21)
- RE: Protocol Anomaly Detection IDS - Honeypots Jordan K Wiens (Feb 21)
- RE: Protocol Anomaly Detection IDS - Honeypots Rob Shein (Feb 21)
- RES: Protocol Anomaly Detection IDS - Honeypots Augusto Paes de Barros (Feb 21)
- RE: Protocol Anomaly Detection IDS - Honeypots Rob Shein (Feb 21)
- RE: Protocol Anomaly Detection IDS - Honeypots pbsarnac (Feb 21)
- RE: Protocol Anomaly Detection IDS - Honeypots Jordan K Wiens (Feb 21)
- Re: RES: Protocol Anomaly Detection IDS - Honeypots Lance Spitzner (Feb 21)