Home page logo
/

focus-ids logo IDS mailing list archives

RE: Protocol Anomaly Detection IDS - Honeypots
From: "Rob Shein" <shoten () starpower net>
Date: Fri, 21 Feb 2003 17:07:03 -0500

At what point does this concept get too unwieldy?  In this scenario, people
have to have knowledge of the various types of LDAP traffic (and know how to
differentiate them on the wire) in order to write the rules to catch a
single type of honeytoken.  I certainly don't have that breadth of
knowledge, and I've learned how to do a whole lot of different things.
There are workarounds for almost anything under the sun, but some of them
require workarounds that make them infeasible.  I think the overhead in
terms of administration and and braintrust that would be needed to seed an
enterprise with such granular honey-things is better spent on other ways of
securing that enterprise.

-----Original Message-----
From: Augusto Paes de Barros [mailto:augusto () paesdebarros com br] 
Sent: Friday, February 21, 2003 4:56 PM
To: 'Rob Shein'; 'Jordan K Wiens'
Cc: focus-ids () securityfocus com
Subject: RES: Protocol Anomaly Detection IDS - Honeypots


True! But you can configure the rule on the IDS to catch the 
honeytoken on all traffic BUT the traffic between the servers.

[]s
Augusto Paes de Barros, CISSP
www.paesdebarros.com.br
 

-----Mensagem original-----
De: Rob Shein [mailto:shoten () starpower net] 
Enviada em: sexta-feira, 21 de fevereiro de 2003 17:46
Para: 'Jordan K Wiens'
Cc: 'Augusto Paes de Barros'; focus-ids () securityfocus com
Assunto: RE: Protocol Anomaly Detection IDS - Honeypots


Yeah, but if you have more than one LDAP server, and 
replication, you'll also snag other valid traffic that 
happens to control the objects in LDAP.

-----Original Message-----
From: Jordan K Wiens [mailto:jwiens () nersp nerdc ufl edu]
Sent: Friday, February 21, 2003 3:13 PM
To: Rob Shein
Cc: 'Augusto Paes de Barros'; focus-ids () securityfocus com
Subject: RE: Protocol Anomaly Detection IDS - Honeypots


The point seems to be that it's possible to be eblow-deep 
in someones 
networks with relatively 'normal' traffic the IDS won't pick up.  A 
specifically designed web-crawler can sneak right under the 
radar of a 
typical IDS, yet it would easily be detected by a 
honeytoken.  Slowly 
enumerating all users from a public LDAP directory probably 
won't be 
detected by the IDS, but a honeytoken would snag it.

--
Jordan Wiens
UF Network Incident Response Team
(352)392-2061

On Fri, 21 Feb 2003, Rob Shein wrote:

Interesting notion, but with a few problems.  My idea of 
a honeypot 
was an untrusted machine that draws fire, so to say, from
an attacker.
In doing so, it serves the dual roles of concentrating the
attacking
traffic onto a segment that is far more homogenous (in terms of
activity) and therefore easier to monitor, and causing the
attacker to
focus on a system that will not give him access to 
anything of any 
importance.  Putting "honey documents" or other data 
(like database 
entries or LDAP objects) in the midst of valid data will not draw 
attention away, and even if they did, detection of them
wouldn't get
you anything new.  If your IDS sees the content that it is
to look for
in these documents, why wouldn't it have seen any of the 
attacking 
traffic to begin with?  And either way, the bad guy is already 
elbows-deep in your goodies at that point.

-----Original Message-----
From: Augusto Paes de Barros 
[mailto:augusto () paesdebarros com br]
Sent: Friday, 
February 21, 2003 6:18 AM
To: focus-ids () securityfocus com
Subject: RES: Protocol Anomaly Detection IDS - Honeypots


Lance's point can be expanded in very interesting 
views. Why use 
only honeypots "hosts" or "nets", when whe can use accounts, 
documents, info, etc? I was developing an idea that I call 
"honeytokens", to use on Windows networks. Basically, 
information 
that shouldn't be flowing over the network and, if you 
can detect 
it, something wrong is happening.

--
Augusto Paes de Barros, CISSP http://www.paesdebarros.com.br
augusto () paesdebarros com br




-----------------------------------------------------------
Does your IDS have Intelligent Attack Profiling?
If not, see what you're missing.
Download a free 15-day trial of StillSecure Border Guard.
http://www.securityfocus.com/stillsecure



-----------------------------------------------------------
Does your IDS have Intelligent Attack Profiling?
If not, see what you're missing.
Download a free 15-day trial of StillSecure Border Guard.
http://www.securityfocus.com/stillsecure


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]