Home page logo

focus-ids logo IDS mailing list archives

RE: Protocol Anomaly Detection IDS - Honeypots
From: Jordan K Wiens <jwiens () nersp nerdc ufl edu>
Date: Fri, 21 Feb 2003 16:36:26 -0500 (EST)

Very true; so you have to be careful where you place the IDS given those
sorts of issues; the original idea is still valid that there are lots of
good uses for honeytokens that can well supplement the 'normal' use of an

Jordan Wiens
UF Network Incident Response Team

On Fri, 21 Feb 2003, Rob Shein wrote:

Yeah, but if you have more than one LDAP server, and replication, you'll
also snag other valid traffic that happens to control the objects in LDAP.

-----Original Message-----
From: Jordan K Wiens [mailto:jwiens () nersp nerdc ufl edu]
Sent: Friday, February 21, 2003 3:13 PM
To: Rob Shein
Cc: 'Augusto Paes de Barros'; focus-ids () securityfocus com
Subject: RE: Protocol Anomaly Detection IDS - Honeypots

The point seems to be that it's possible to be eblow-deep in
someones networks with relatively 'normal' traffic the IDS
won't pick up.  A specifically designed web-crawler can sneak
right under the radar of a typical IDS, yet it would easily
be detected by a honeytoken.  Slowly enumerating all users
from a public LDAP directory probably won't be detected by
the IDS, but a honeytoken would snag it.

Does your IDS have Intelligent Attack Profiling?
If not, see what you're missing.
Download a free 15-day trial of StillSecure Border Guard.

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]