Home page logo
/

focus-ids logo IDS mailing list archives

RE: Protocol Anomaly Detection IDS - Honeypots
From: "Rob Shein" <shoten () starpower net>
Date: Fri, 21 Feb 2003 16:54:20 -0500

I don't see where you'd place an IDS so that it saw some kinds of LDAP
traffic but not others.  Especially when there are different LDAP servers
connected with WAN links...I don't know of anyone who has dedicated WAN
links for LDAP traffic...come to think of it, I don't know anyone who has
dedicated networks for it either.

-----Original Message-----
From: Jordan K Wiens [mailto:jwiens () nersp nerdc ufl edu] 
Sent: Friday, February 21, 2003 4:36 PM
To: Rob Shein
Cc: 'Augusto Paes de Barros'; focus-ids () securityfocus com
Subject: RE: Protocol Anomaly Detection IDS - Honeypots


Very true; so you have to be careful where you place the IDS 
given those sorts of issues; the original idea is still valid 
that there are lots of good uses for honeytokens that can 
well supplement the 'normal' use of an IDS.

-- 
Jordan Wiens
UF Network Incident Response Team
(352)392-2061

On Fri, 21 Feb 2003, Rob Shein wrote:

Yeah, but if you have more than one LDAP server, and replication, 
you'll also snag other valid traffic that happens to control the 
objects in LDAP.

-----Original Message-----
From: Jordan K Wiens [mailto:jwiens () nersp nerdc ufl edu]
Sent: Friday, February 21, 2003 3:13 PM
To: Rob Shein
Cc: 'Augusto Paes de Barros'; focus-ids () securityfocus com
Subject: RE: Protocol Anomaly Detection IDS - Honeypots


The point seems to be that it's possible to be eblow-deep in 
someones networks with relatively 'normal' traffic the IDS won't 
pick up.  A specifically designed web-crawler can sneak 
right under 
the radar of a typical IDS, yet it would easily be detected by a 
honeytoken.  Slowly enumerating all users from a public LDAP 
directory probably won't be detected by the IDS, but a honeytoken 
would snag it.




-----------------------------------------------------------
Does your IDS have Intelligent Attack Profiling?
If not, see what you're missing.
Download a free 15-day trial of StillSecure Border Guard.
http://www.securityfocus.com/stillsecure


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]