Honeypots mailing list archives
Re: honeytokens in databases
From: Valdis.Kletnieks () vt edu
Date: Mon, 18 Sep 2006 14:35:06 -0400
On Mon, 18 Sep 2006 15:14:56 -0000, gvij2000 () yahoo com said:
hi I would like some guidance in creating and deploying honeytokens. 1.Coming up with honeytoken data that would interest hackers.
This is very site-specific. What I might recommend for a honey token for our student-records crew is probably not a good fit for a hospital...
2.How and where do I place the data so that I can monitor hackers.
Well, you basically invent a totally fictitious entry for the database (be it a student transcript, a medical record, an accounts-payable - something that makes sense for your organization), and put it in the database along with all the production data. You then monitor the database system logs (with a program of course, this is too tedious to do by actually reading logs), and if you see somebody make a request for that specific database entry, then you know you need to start investigating. The only tough part is that you need to identify queries like 'SELECT name, ssn FROM student_table WHERE home_address_state = "VA"' where it's expected to be returned and not generating a false-positive. But if you go through the logs and find a 'SELECT * WHERE fullname = "John Q. Honeytoken"', you have a problem :)
Attachment:
_bin
Description:
Current thread:
- honeytokens in databases gvij2000 (Sep 18)
- Re: honeytokens in databases Valdis . Kletnieks (Sep 18)