Home page logo
/

focus-ids logo IDS mailing list archives

RES: Protocol Anomaly Detection IDS - Honeypots
From: "Augusto Paes de Barros" <augusto () paesdebarros com br>
Date: Fri, 21 Feb 2003 18:53:33 -0300

You are right Rob, but I believe it is very important to be able to
detect things like that. The guy could be someone that managed to reach
the internal network without the use of common attacks. Phisically, if
you want an example. Yes, he is elbows-deep in the goodies. Isn´t it the
type of situation that we really need to know about?

I liked when you mentioned database entries. It's my new favourite
"honeytoken" now! Let's imagine that the only authorized way to access a
DB is through Stored Procedures. If your SP already discard the
honeytokens, everytime someone access directly the table, the bogus
record will be returned, and detected by the IDS. Quite interesting,
don´t you think?

Regards,

Augusto

-----Mensagem original-----
De: Rob Shein [mailto:shoten () starpower net] 
Enviada em: sexta-feira, 21 de fevereiro de 2003 16:33
Para: 'Augusto Paes de Barros'; focus-ids () securityfocus com
Assunto: RE: Protocol Anomaly Detection IDS - Honeypots


Interesting notion, but with a few problems.  My idea of a honeypot was
an untrusted machine that draws fire, so to say, from an attacker.  In
doing so, it serves the dual roles of concentrating the attacking
traffic onto a segment that is far more homogenous (in terms of
activity) and therefore easier to monitor, and causing the attacker to
focus on a system that will not give him access to anything of any
importance.  Putting "honey documents" or other data (like database
entries or LDAP objects) in the midst of valid data will not draw
attention away, and even if they did, detection of them wouldn't get you
anything new.  If your IDS sees the content that it is to look for in
these documents, why wouldn't it have seen any of the attacking traffic
to begin with?  And either way, the bad guy is already elbows-deep in
your goodies at that point.

-----Original Message-----
From: Augusto Paes de Barros [mailto:augusto () paesdebarros com br]
Sent: Friday, February 21, 2003 6:18 AM
To: focus-ids () securityfocus com
Subject: RES: Protocol Anomaly Detection IDS - Honeypots


Lance's point can be expanded in very interesting views. Why
use only honeypots "hosts" or "nets", when whe can use 
accounts, documents, info, etc? I was developing an idea that 
I call "honeytokens", to use on Windows networks. Basically, 
information that shouldn't be flowing over the network and, 
if you can detect it, something wrong is happening.

--
Augusto Paes de Barros, CISSP
http://www.paesdebarros.com.br
augusto () paesdebarros com br



-----Mensagem original-----
De: Lance Spitzner [mailto:lance () honeynet org]
Enviada em: quinta-feira, 20 de fevereiro de 2003 15:59
Para: Robert Graham
Cc: Focus on Intrusion Detection Systems; slyph () alum mit edu
Assunto: Re: Protocol Anomaly Detection IDS - Honeypots


On Wed, 19 Feb 2003, Robert Graham wrote:

People have been hoping that there is some sort of magic-pill
technology
that
solves the problem of IDS. "Protocol-anomaly detection" is one of
those buzzwords that promises a magic pill.

Okay, I'll admit, to me alot of the security problems I see
are nothing more then nails, and honeypots are the hammer.  
However, seriously, have folks considered the detection 
capabilities of honeypots?  The reason I bring this up in 
this thread, is for honeypots, everything is an anamoly.  The 
concept of a honeypot is it has no production or authorized 
activity. Everything it captures its way is most likely 
malicious activity.  Not only that, but you dramaticaly 
reduce 'noise'.  Instead of dealing with 5,000 alerts a day 
(not that high of a number for many organizations) a honeypot 
in the same environment could only generate 5 or 10 alerts a 
day, alerts you most likely need to take action on.  These 
small data sets can make it far easier and cost effective to 
identify and act on unauthorized activity.

I'm in no way suggesting that honeypots replace any existing
detection technologies, I'm suggesting that can contribute.  
Personally, I feel the concept of deception has overshadowed 
the value of honeypots, when one of their true values lies in 
detection.

lance


-----------------------------------------------------------
Does your IDS have Intelligent Attack Profiling?
If not, see what you're missing.
Download a free 15-day trial of StillSecure Border Guard.
http://www.securityfocus.com/stillsecure



-----------------------------------------------------------
Does your IDS have Intelligent Attack Profiling?
If not, see what you're missing.
Download a free 15-day trial of StillSecure Border Guard.
http://www.securityfocus.com/stillsecure




-----------------------------------------------------------
Does your IDS have Intelligent Attack Profiling?
If not, see what you're missing.
Download a free 15-day trial of StillSecure Border Guard.
http://www.securityfocus.com/stillsecure


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault