Honeypots mailing list archives

Previous By Date Next
Previous By Thread Next

Re: logging facility

From: Floydman <floydman () iquebec com>
Date: Wed, 27 Aug 2003 15:18:11 -0400
It's easy. A honeypot is by definition a system (or a set of systems) delibarately mean to be hacked as bait, thus no real production traffic occurs on these networks. So, all the traffic on it is suspicious by nature. On production networks, the difficulty for IDS is that it has to determine through all the traffic which one is legitimate and which one is suspicious. What can happen at this point is that either a) malicious traffic is effectively identified as such; b) malicious traffic is erroneously identified as valid traffic, causing an attack to go undetected; or c) valid traffic is erroneously identified as suspicious traffic, which causes false alarms that can, in the long run, bring the atention brought to these alarms to decrease, which can eventually cause rightly detected intrusion to be overlooked by the people assigned to protecting the network. These issues does not occur on a honeypot because in normal usage, there should be no traffic at all on it. As soon as there is activity, it means that something wrong is occuring. The challenge for IDS developpers/users is to configure it in such a way that it increases the occurences of a) while decreasing as much of possible b) and c), which implies good knowledge of networking protocols and what is to be considered valid traffic on your network. 

Hope this helps.

Floydman

At 01:36 PM 27/08/2003, Motayyam79 () aol com wrote:


Hi all,

what makes the logging capability on honeypots far stronger than normal
systems like IDS?

thanks,
_____________________________________________________________________
MSN Messenger, nouvelle version ! Personnalisez vos messages, jouez en
ligne et communiquez en temps réel par vidéo! http://ifrance.com/_reloc/m
Previous By Date Next
Previous By Thread Next

Current thread: