Home page logo
/

focus-ids logo IDS mailing list archives

RE: Protocol Anomaly Detection IDS - Honeypots
From: Jordan K Wiens <jwiens () nersp nerdc ufl edu>
Date: Fri, 21 Feb 2003 16:36:26 -0500 (EST)

Very true; so you have to be careful where you place the IDS given those
sorts of issues; the original idea is still valid that there are lots of
good uses for honeytokens that can well supplement the 'normal' use of an
IDS.

-- 
Jordan Wiens
UF Network Incident Response Team
(352)392-2061

On Fri, 21 Feb 2003, Rob Shein wrote:

Yeah, but if you have more than one LDAP server, and replication, you'll
also snag other valid traffic that happens to control the objects in LDAP.

-----Original Message-----
From: Jordan K Wiens [mailto:jwiens () nersp nerdc ufl edu]
Sent: Friday, February 21, 2003 3:13 PM
To: Rob Shein
Cc: 'Augusto Paes de Barros'; focus-ids () securityfocus com
Subject: RE: Protocol Anomaly Detection IDS - Honeypots


The point seems to be that it's possible to be eblow-deep in
someones networks with relatively 'normal' traffic the IDS
won't pick up.  A specifically designed web-crawler can sneak
right under the radar of a typical IDS, yet it would easily
be detected by a honeytoken.  Slowly enumerating all users
from a public LDAP directory probably won't be detected by
the IDS, but a honeytoken would snag it.



-----------------------------------------------------------
Does your IDS have Intelligent Attack Profiling?
If not, see what you're missing.
Download a free 15-day trial of StillSecure Border Guard.
http://www.securityfocus.com/stillsecure


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]