Home page logo
/

focus-ids logo IDS mailing list archives

Re: RES: Protocol Anomaly Detection IDS - Honeypots
From: Lance Spitzner <lance () honeynet org>
Date: Fri, 21 Feb 2003 10:36:56 -0600 (CST)

On Fri, 21 Feb 2003, Augusto Paes de Barros wrote:

Lance's point can be expanded in very interesting views. Why use only
honeypots "hosts" or "nets", when whe can use accounts, documents, info,
etc? I was developing an idea that I call "honeytokens", to use on Windows
networks. Basically, information that shouldn't be flowing over the network
and, if you can detect it, something wrong is happening.

Ohh, ooh!  Very cool suggestion Augusto!  This is something I never
thought of.  Create documents, webpages, or resources that no one should
be accessing.  You create these resources with specific, obvious signatures
so your detections mechanisms (logs, IDS sensors, etc) can easily pick
them up.  If you detect these resources being moved around your network,
you know something is up!

For example, you create a word document that has the title of payroll
or 'research and development'.  You put whatever fluff you want in the
document, and give it a "tracking number", such as 14A8478bG98734T90AAZ.
Now, you simply create a signature looking for that "tracking number".
The concept would be to create resources that no one should be accessing
(the honeytoken) but is easily detectable if they do.  You would have to 
ensure the signature, as in this case the tracking number, is unique enough 
that it minizimes, if not eliminate, false positives.

This potentially opens a whole new world to honeypot concepts :)

very cool :)

lance


-----------------------------------------------------------
Does your IDS have Intelligent Attack Profiling?
If not, see what you're missing.
Download a free 15-day trial of StillSecure Border Guard.
http://www.securityfocus.com/stillsecure


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]