Home page logo

focus-ids logo IDS mailing list archives

Re: RES: Protocol Anomaly Detection IDS - Honeypots
From: Frank Knobbe <fknobbe () knobbeits com>
Date: 21 Feb 2003 18:33:17 -0600

On Fri, 2003-02-21 at 10:54, Mike Shaw wrote:
For example, you create a word document that has the title of payroll
or 'research and development'.  You put whatever fluff you want 
in the
document, and give it a "tracking number", such as 14A8478bG98734T90AAZ.

This is something I've been doing on my production networks for a couple years now, but at more than the wire level.

Excel spreadsheets of bogus usernames and passwords.
Fake info being passed over AIM and other cleartext protocols on a hub.
Bogus customer records in a banking app.
Bogus hosts in host lists.
File names that should never be in a directory scan.
False DNS entries such as "accounting.domain.com"

The possibilities are endless.

Yes, they are. When discussion this, we have to be careful to not
overstep the fine line that differentiates the honeytoken idea with a
copy-bug or deception-pools.

A copy-bug is a marker embedded in a document that lets you identify an
illegal copy. Most widely used are grammatical or typographical errors.
If someone reproduces a document titled 'The Delcaration of
Independence' you can spot because you know that you marked it with that

A deception pool is a stash of falsified documents (think research data)
amongst which you hide the real document. Imagine a folder called
Research with the files Result00001.doc until Result99999.doc. Only
Result77453.doc contains the real result.

Copy-bugs can be tracked just like you would zoom in on a honeytoken,
but they do not attract like a honeypot. A deception-pool provides a lot
of false info, just like a honeypot/honeytoken, but again does not
attract. Honeypots, while providing false info, attract the hacker so we
can learn about their techniques. 

Don't get me wrong, the idea of honeytokens it great. But we have to be
careful that don't give an old horse a new name.


Attachment: signature.asc
Description: This is a digitally signed message part

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]