Home page logo

focus-ids logo IDS mailing list archives

Re: Protocol Anomaly Detection IDS - Honeypots
From: "dreamwvr () dreamwvr com" <dreamwvr () dreamwvr com>
Date: Thu, 20 Feb 2003 23:56:56 -0700

On Thu, Feb 20, 2003 at 07:48:36PM -0500, Rob Shein wrote:
I have to agree entirely.  A lot of people think of a honeypot as something
set up to look like a wildly insecure box.  What I like to do is set one up
to look like most of the other network-available boxes, but with a slight
twist, like an open port that the others don't have.  It doesn't have to be
incredibly appealing, just a chink in the armor will draw attackers to it.
In "The Seven Samurai," the leader of the group states "Every good castle
must have a weakness in its defense."  He then uses that deliberate weakness
to lure attackers to that one spot, where he waits.  That's exactly what I
go for with a honeypot, and it works pretty darn well too :)
I would agree as well. It is often those that have perceived themselves
as invincible that provide the greatest flaws. As I alluded to earlier 
I see a hybrid arrangement with say the IDS running in bridge mode 
while the honeypot lives in a virtual space.. jail if you will with
the vulnerability 'emulation' recording over to write once CD. 
This would seem to be a interesting project. Then blend the two 
technologies by meeting somewhere in the middle for analysis. 
The "Seven Samurai" and that thought pattern could lend well
to Internet Security. Providing that one did not rely too heavily
on them necessarily taking the bait. There are more arts of deception
than just those being used in the computer realm. So if one leveraged
that judicially there might be some true benefits.

Best Regards,
dreamwvr () dreamwvr com

/*  Security is a work in progress - dreamwvr                 */
# Note: To begin Journey type man afterboot,man help,man hier[.]      
// "Who's Afraid of Schrodinger's Cat?" /var/(.)?mail/me \?  ;-]

Does your IDS have Intelligent Attack Profiling?
If not, see what you're missing.
Download a free 15-day trial of StillSecure Border Guard.

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]