Honeypots mailing list archives

Re: IDS and honeypots

From: Valdis.Kletnieks () vt edu
Date: Wed, 30 Apr 2003 14:20:10 -0400

On Wed, 30 Apr 2003 14:28:17 +0200, rnoble <rnoble () petech ac za>  said:

I'm investigating the idea of using the traffic captured by a honeypot =
(in theory all data should be suspicious) and filtering out legal =
traffic and traffic captured by existing misuse IDS signatures and using =
the remainder to automatically create new signatures in order to update =
IDS a IDS database


The problem you get is that if the attacker uses a 0day to get into the
box, you'll get a new IDS tag for that - but if he then installs a backdoor
and telnets in, you'll also get new IDS signatures for telnet traffic with
a packet 'a', 'b', 'c'.... Whoops. ;)

(Same issue for anything else the attacker might do that resembles usual
traffic - and remember that a *lot* of the attacker's traffic is going to
look very similar to "production" traffic, just with different *INTENT*, which
is very hard for an IDS to gauge unless it has an AI component.)

Attachment: _bin
Description:

Current thread:

IDS and honeypots rnoble (Apr 30)
- Re: IDS and honeypots Valdis . Kletnieks (Apr 30)
- Re: IDS and honeypots Niels Provos (Apr 30)
  - Re: IDS and honeypots Christian Kreibich (May 01)
- Re: IDS and honeypots Eric Arnoth (Apr 30)
- Re: IDS and honeypots ramos (May 02)