Home page logo

focus-ids logo IDS mailing list archives

RE: Protocol Anomaly Detection IDS - Honeypots
From: "Rob Shein" <shoten () starpower net>
Date: Fri, 21 Feb 2003 15:45:57 -0500

Yeah, but if you have more than one LDAP server, and replication, you'll
also snag other valid traffic that happens to control the objects in LDAP.

-----Original Message-----
From: Jordan K Wiens [mailto:jwiens () nersp nerdc ufl edu] 
Sent: Friday, February 21, 2003 3:13 PM
To: Rob Shein
Cc: 'Augusto Paes de Barros'; focus-ids () securityfocus com
Subject: RE: Protocol Anomaly Detection IDS - Honeypots

The point seems to be that it's possible to be eblow-deep in 
someones networks with relatively 'normal' traffic the IDS 
won't pick up.  A specifically designed web-crawler can sneak 
right under the radar of a typical IDS, yet it would easily 
be detected by a honeytoken.  Slowly enumerating all users 
from a public LDAP directory probably won't be detected by 
the IDS, but a honeytoken would snag it.

Jordan Wiens
UF Network Incident Response Team

On Fri, 21 Feb 2003, Rob Shein wrote:

Interesting notion, but with a few problems.  My idea of a honeypot 
was an untrusted machine that draws fire, so to say, from 
an attacker.  
In doing so, it serves the dual roles of concentrating the 
traffic onto a segment that is far more homogenous (in terms of 
activity) and therefore easier to monitor, and causing the 
attacker to 
focus on a system that will not give him access to anything of any 
importance.  Putting "honey documents" or other data (like database 
entries or LDAP objects) in the midst of valid data will not draw 
attention away, and even if they did, detection of them 
wouldn't get 
you anything new.  If your IDS sees the content that it is 
to look for 
in these documents, why wouldn't it have seen any of the attacking 
traffic to begin with?  And either way, the bad guy is already 
elbows-deep in your goodies at that point.

-----Original Message-----
From: Augusto Paes de Barros [mailto:augusto () paesdebarros com br]
Sent: Friday, February 21, 2003 6:18 AM
To: focus-ids () securityfocus com
Subject: RES: Protocol Anomaly Detection IDS - Honeypots

Lance's point can be expanded in very interesting views. Why use 
only honeypots "hosts" or "nets", when whe can use accounts, 
documents, info, etc? I was developing an idea that I call 
"honeytokens", to use on Windows networks. Basically, information 
that shouldn't be flowing over the network and, if you can detect 
it, something wrong is happening.

Augusto Paes de Barros, CISSP http://www.paesdebarros.com.br
augusto () paesdebarros com br

Does your IDS have Intelligent Attack Profiling?
If not, see what you're missing.
Download a free 15-day trial of StillSecure Border Guard.

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]