Honeypots mailing list archives
RE: [inbox] Attack/Benign Packet Determination
From: "Curt Purdy" <purdy () tecman com>
Date: Mon, 15 Apr 2002 15:43:33 -0500
The concept of a honeynet is to set aside a segment of your network, whether a class C or .248 subnet that is seperate and unto itself. Therefore any traffic originating or destined is an indication of compromise, attack, or scan. I like to think of them as the miner's canary. An early warning system that quickly sends out alarms that don't have to be analyzed whether the traffic is good or bad. We have set aside a .128 segment and when snort goes of here, we immediately look hard at the traffic. We can then quite often just block the source while they are still nawing at our soft underbelly before they have a chance to touch our hardened assets. Curt Purdy CISSP, GSEC, MCSE+I, CNE, CCDA Information Security Engineer DP Solutions cpurdy () dpsol com 936.637.7977 ext. 121 ---------------------------------------- If you spend more on coffee than on IT security, you will be hacked. What's more, you deserve to be hacked. -- White House cybersecurity adviser Richard Clarke -----Original Message----- From: Steven DeFord [mailto:steve () redlance singingtree com] Sent: Friday, August 29, 2003 3:20 PM To: honeypots () securityfocus com Subject: [inbox] Attack/Benign Packet Determination I'm new at this, so you'll have to excuse me, but in the handful of white papers I've read, and from reading traffic on this list, I've not seen any clear way that honeypot routers determine what traffic is bad (destined for the honeypot) and which isn't. People on the list seem to assume that "All traffic on the honeynet is inherently an attack," but how does one know which traffic is bad and which isn't? At least, how do you tell any better than an IDS? For example, in a recent post, someone mentioned the fact that a blackhat who's compromised a honeynet host can't get any production information out of sniffing the network, but what if some user's authentication session were misdirected to the honeynet? Then the blackhat could (essentially) passwordsniff legitimate users' logon information, and could then infect production machines more easily. The only benefit of a honeynet, it seems, is improved logging, not due to more accurate packet detection, but simply more loggers. Could not, in theory, one set up a honeynet in the production environment? (Other than the previously-mentioned problem of privacy laws and the like.) Steven DeFord steve () singingtree com
Current thread:
- Attack/Benign Packet Determination Steven DeFord (Aug 29)
- RE: [inbox] Attack/Benign Packet Determination Curt Purdy (Aug 29)
- RE: [inbox] Attack/Benign Packet Determination Roger A. Grimes (Aug 29)
- Re: Attack/Benign Packet Determination Floydman (Aug 29)
- Re: Attack/Benign Packet Determination Mcen navaraj (Aug 29)
- Re: Attack/Benign Packet Determination Valdis . Kletnieks (Aug 29)
- RE: [inbox] Attack/Benign Packet Determination Curt Purdy (Aug 29)