IDS: RE: Protocol Anomaly Detection IDS

Nmap Security Scanner

Intro

Ref Guide

Install Guide

Download

Changelog

Book

Docs
Security Lists

Bugtraq

Basics

More
Security Tools

More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

IDS mailing list archives

RE: Protocol Anomaly Detection IDS - Honeypots

From: "Rob Shein" <shoten () starpower net>
Date: Fri, 21 Feb 2003 16:54:20 -0500

I don't see where you'd place an IDS so that it saw some kinds of LDAP
traffic but not others.  Especially when there are different LDAP servers
connected with WAN links...I don't know of anyone who has dedicated WAN
links for LDAP traffic...come to think of it, I don't know anyone who has
dedicated networks for it either.

-----Original Message-----
From: Jordan K Wiens [mailto:jwiens () nersp nerdc ufl edu] 
Sent: Friday, February 21, 2003 4:36 PM
To: Rob Shein
Cc: 'Augusto Paes de Barros'; focus-ids () securityfocus com
Subject: RE: Protocol Anomaly Detection IDS - Honeypots

Very true; so you have to be careful where you place the IDS 
given those sorts of issues; the original idea is still valid 
that there are lots of good uses for honeytokens that can 
well supplement the 'normal' use of an IDS.

-- 
Jordan Wiens
UF Network Incident Response Team
(352)392-2061

On Fri, 21 Feb 2003, Rob Shein wrote:

Yeah, but if you have more than one LDAP server, and replication, 
you'll also snag other valid traffic that happens to control the 
objects in LDAP.

-----Original Message-----
From: Jordan K Wiens [mailto:jwiens () nersp nerdc ufl edu]
Sent: Friday, February 21, 2003 3:13 PM
To: Rob Shein
Cc: 'Augusto Paes de Barros'; focus-ids () securityfocus com
Subject: RE: Protocol Anomaly Detection IDS - Honeypots

The point seems to be that it's possible to be eblow-deep in 
someones networks with relatively 'normal' traffic the IDS won't 
pick up.  A specifically designed web-crawler can sneak

right under

the radar of a typical IDS, yet it would easily be detected by a 
honeytoken.  Slowly enumerating all users from a public LDAP 
directory probably won't be detected by the IDS, but a honeytoken 
would snag it.



-----------------------------------------------------------
Does your IDS have Intelligent Attack Profiling?
If not, see what you're missing.
Download a free 15-day trial of StillSecure Border Guard.
http://www.securityfocus.com/stillsecure

By Date By Thread

Current thread:

Re: RES: Protocol Anomaly Detection IDS - Honeypots, (continued)
- Re: RES: Protocol Anomaly Detection IDS - Honeypots dreamwvr () dreamwvr com (Feb 21)
- RE: Protocol Anomaly Detection IDS - Honeypots Rob Shein (Feb 21)
  - RE: Protocol Anomaly Detection IDS - Honeypots Jordan K Wiens (Feb 21)
    - RE: Protocol Anomaly Detection IDS - Honeypots Rob Shein (Feb 21)
    - RE: Protocol Anomaly Detection IDS - Honeypots Jordan K Wiens (Feb 21)
    - RE: Protocol Anomaly Detection IDS - Honeypots Rob Shein (Feb 21)
    - RES: Protocol Anomaly Detection IDS - Honeypots Augusto Paes de Barros (Feb 21)
    - RE: Protocol Anomaly Detection IDS - Honeypots Rob Shein (Feb 21)
    - RE: Protocol Anomaly Detection IDS - Honeypots pbsarnac (Feb 21)
  - RES: Protocol Anomaly Detection IDS - Honeypots Augusto Paes de Barros (Feb 21)
- Re: RES: Protocol Anomaly Detection IDS - Honeypots Mike Shaw (Feb 21)