|
Honeypots
mailing list archives
Re: Honeytokens and detection
From: "Bram Matthys \(Syzop\)" <syz () dds nl>
Date: Fri, 04 Apr 2003 01:32:02 +0200
[I usually don't give out information about my
quite original honeypot kernel modules, but let's make
an exception today ;)]
Hi,
Lance Spitzner wrote:
I was thinking that Honeytokes could be used for detecting
when such data was compromised/stolen. Inside each
database Honeytoken numbers are inserted. These tokens
are known to have no value, no one should be using them.
Detection mechanisms such as IDS signatures are then created
to look for and detect these tokens being access or used.
it's not exactly the same, but...
I once created a kernel module which monitored unlink()'s.
I then created ~10 useless files all over the filesystem
and if a unlink() was called for one of them, the system
would halt[*].
The idea is/was to use these "traps" against "rm -rf /" alike things.
Of course this doesnt defend against dd if=/dev/zero of=/dev/hda,
but it can have some use. It also doesn't rely on a special /bin/rm
binary since it could have been replaced by the attacker.
I think such "traps" can be quite usefull at host level, at network
level it wouldn't get detected if the hacker uses ssh/scp/sftp[**]/etc.
Of course you can just use both.
Bram Matthys (Syzop).
[*]: I don't recommend such an action at a production machine ;).
[**]: with own (host)key.
 By Date 
By Thread
Current thread:
| 
Intro
