|
IDS
mailing list archives
Re: RES: Protocol Anomaly Detection IDS - Honeypots
From: Marc Benoit <marc () corsanet com>
Date: 21 Feb 2003 23:30:59 -0000
In-Reply-To: <20030221131510.29145.qmail () mail securityfocus com>
This basic theory is laid out very well in Activescout by Forescout which is a
technology that we rely on internally. A potential intruder performs reconnaissance
on your network, the scout picks it up and responds with marked packets
representing fictitious honeytokens which you can then act on when they come
back with the goods. It works on any network with no falsies and up to much
greater speeds than we require.
-Marc
Lance's point can be expanded in very interesting views. Why use only
honeypots "hosts" or "nets", when whe can use accounts, documents, info,
etc? I was developing an idea that I call "honeytokens", to use on Windows
networks. Basically, information that shouldn't be flowing over the network
and, if you can detect it, something wrong is happening.
-----------------------------------------------------------
Does your IDS have Intelligent Attack Profiling?
If not, see what you're missing.
Download a free 15-day trial of StillSecure Border Guard.
http://www.securityfocus.com/stillsecure
 By Date 
By Thread
Current thread:
- RE: Protocol Anomaly Detection IDS - Honeypots, (continued)
| 
Intro
