Re: Question about Dynamic Honeypots.

["Jack Whitsitt (jofny)" <seclists () violating us>]

They key problem with the question and the answers is the word "all".

There are no firewalls, no IDS systems, and no other <fill in the blank>
security products that will find and/or deal with all hostile traffic. There
are also no solutions that don't make mistakes.

So, that being said, there are solutions available - commercial and open
source - that use IDS systems to redirect traffic to honeypots based on
policy.

No, these should not be used as blanket solutions. Yes, there are situations
where you have a)Stable and *fairly* homgenous traffic patterns where IDS
can with very few false positives find bad traffic and b)A need to do
further analysis of an attack that a firewall or IDS can provide (specific
examples would be to watch behavior in encrypted traffic streams, to
determine goals and motivation of an attack, or even to determine if there
is something more serious going on than your signature picked up on).

These systems are hard to maintain and should be used in very specific
situations - but there is a need and use for them.

* Bait and Switch Honeypot System does it (out of date, but easy to hack on
to newer Snort versions)
* Hogwash
* and look for a commercial router company (dont remember the same) out of
Europe (Belgium?) that does this as well.

-Jack
(Im not looking for comments on the solutions - just presenting them as
evidence that they exist)

----- Original Message ----- 
From: "Richard Stevens" <mail () richardstevens de>
To: "Mahdi samadi" <samadi () cabinet amnafzar com>;
<honeypots () securityfocus com>
Sent: Monday, September 22, 2003 2:13 PM
Subject: Re: Question about Dynamic Honeypots.


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,


> I have also another question? i think that there will be another feature
> for future honeypot/nets, they must plug into networks and attract all
> anomaly/malicous traffics to ourself.
> At the least it must redirect the attacks traffic to itself. I am be so

this sounds interesting but why would you want to do that....The
identification has to be 100% accurate, otherwise you'd
interfere with production traffic --> not good and probably worse than a few
attacks coming through since not all attacks do work. All this would have to
work without being detectable, which sounds quite hard to do. I wonder, if
you actually found a way to identify malicious traffic with a precision that
high, why not simply block it and leave a honeynet in a classic way to cope
with the remaining/new attacks for analysis and identification? What exactly
would be the goal of the redirection? You already know that the redirected
traffic is malicious, you know what it is. Imho you could only learn which
combinations of the known traffic are used by attackers. While this could be
interesting, you could probably gather all that by analyzing the logs of
your
firewall or blocking mechanisms.


----- Original Message ----- 
From: "Richard Stevens" <mail () richardstevens de>
To: "Mahdi samadi" <samadi () cabinet amnafzar com>;
<honeypots () securityfocus com>
Sent: Monday, September 22, 2003 2:13 PM
Subject: Re: Question about Dynamic Honeypots.


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,


> I have also another question? i think that there will be another feature
> for future honeypot/nets, they must plug into networks and attract all
> anomaly/malicous traffics to ourself.
> At the least it must redirect the attacks traffic to itself. I am be so

this sounds interesting but why would you want to do that. I suppose you are
thinking about a honeynet placed somewhere near production machines, not a
seperate installation independant of production. Now, to redirect all
malicious traffic, you'd have to identify it first. Otherwise there's
nothing
to redirect. The identification has to be 100% accurate, otherwise you'd
interfere with production traffic --> not good and probably worse than a few
attacks coming through since not all attacks do work. All this would have to
work without being detectable, which sounds quite hard to do. I wonder, if
you actually found a way to identify malicious traffic with a precision that
high, why not simply block it and leave a honeynet in a classic way to cope
with the remaining/new attacks for analysis and identification? What exactly
would be the goal of the redirection? You already know that the redirected
traffic is malicious, you know what it is. Imho you could only learn which
combinations of the known traffic are used by attackers. While this could be
interesting, you could probably gather all that by analyzing the logs of
your
firewall or blocking mechanisms.

Please don't get me wrong, the idea sounds interesting but I'm probably not
imaginative enough to get ideas about what benefit you'd get. Since you
already know a lot about the attacks, it seems a bit like watching script
kiddies but with a lot more work and complexety to achieve this.

Regards,

Richard
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)

iD8DBQE/b0nsCfA4EwqVdIQRAvWPAKCLf6cm1Ad30RZ+K/m+SHYOR9nSRQCeJ3yK
fyOtcVrtsorNruZbw6j7eg0=
=aZmb
-----END PGP SIGNATURE-----