Home page logo
/

focus-ids logo IDS mailing list archives

RES: Protocol Anomaly Detection IDS - Honeypots
From: "Augusto Paes de Barros" <augusto () paesdebarros com br>
Date: Fri, 21 Feb 2003 11:17:46 -0000

Lance's point can be expanded in very interesting views. Why use only
honeypots "hosts" or "nets", when whe can use accounts, documents, info,
etc? I was developing an idea that I call "honeytokens", to use on Windows
networks. Basically, information that shouldn't be flowing over the network
and, if you can detect it, something wrong is happening.

--
Augusto Paes de Barros, CISSP
http://www.paesdebarros.com.br
augusto () paesdebarros com br



-----Mensagem original-----
De: Lance Spitzner [mailto:lance () honeynet org]
Enviada em: quinta-feira, 20 de fevereiro de 2003 15:59
Para: Robert Graham
Cc: Focus on Intrusion Detection Systems; slyph () alum mit edu
Assunto: Re: Protocol Anomaly Detection IDS - Honeypots


On Wed, 19 Feb 2003, Robert Graham wrote:

People have been hoping that there is some sort of magic-pill technology
that
solves the problem of IDS. "Protocol-anomaly detection" is one of those
buzzwords that promises a magic pill.

Okay, I'll admit, to me alot of the security problems I see are nothing
more then nails, and honeypots are the hammer.  However, seriously, have
folks
considered the detection capabilities of honeypots?  The reason I bring
this up in this thread, is for honeypots, everything is an anamoly.  The
concept of a honeypot is it has no production or authorized activity.
Everything it captures its way is most likely malicious activity.  Not
only that, but you dramaticaly reduce 'noise'.  Instead of dealing with
5,000 alerts a day (not that high of a number for many organizations) a
honeypot in the same environment could only generate 5 or 10 alerts a day,
alerts you most likely need to take action on.  These small data sets
can make it far easier and cost effective to identify and act on
unauthorized activity.

I'm in no way suggesting that honeypots replace any existing detection
technologies, I'm suggesting that can contribute.  Personally, I feel
the concept of deception has overshadowed the value of honeypots, when
one of their true values lies in detection.

lance


-----------------------------------------------------------
Does your IDS have Intelligent Attack Profiling?
If not, see what you're missing.
Download a free 15-day trial of StillSecure Border Guard.
http://www.securityfocus.com/stillsecure


-----------------------------------------------------------
Does your IDS have Intelligent Attack Profiling?
If not, see what you're missing.
Download a free 15-day trial of StillSecure Border Guard.
http://www.securityfocus.com/stillsecure


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]