Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Honeypots: Re: search for master of science project topic

Re: search for master of science project topic

From: Packet Man <packetman_at_altsec.info>
Date: Fri, 14 Oct 2005 12:20:26 -0500

gangadhar npk wrote:

>It seems to be a very interesting thought. Correct me if I am wrong in understanding this -
>the basic premise is that, once the 'monitor' identifies a process that is not conforming to the usual practice (say via anamoly detection), it silently transfers the process image to a honeypot - without disruption of anysort and the process runs within the honeypot (a VM, in all probability).
>May be initially one can only take care of the socket connections, and then move to the part of file handles, memmaps and others.
>Was this attempted before - I don't know, hence the question.
>
>Thanks
>Gangadhar
>-----Original Message-----
>From: "Payton, Zack" <Zack.Payton_at_MWAA.com>
>To: <dewadedw_at_yahoo.com>, <honeypots_at_securityfocus.com>
>Date: Tue, 11 Oct 2005 11:09:17 -0400
>Subject: RE: search for master of science project topic
>
>Sure, What about writing a paper about the best way to monitor
>processes on a production box and processes transfer and tcp redirect to
>honeypot in event of anomaly.
>Zack
>
>
I think that's an intruiging idea.

It melds intrusion protection with a honeypot, one that
would require re-engineering a honeypot.

Zack, if I get you right, the following would occur:

1. IDS detects suspicious/malicious traffic
2. The connection state would be transferred to the honeypot
3. The connection route would be redirected to the honeypot
4. The honeypot would spoof the original host and start gathering
     data

I'm not sure of the usefulness/feasibility though.

It would surely require a HIDS client on the target that (A)
works with the IDS and honeypot to effect a transfer of
connection and state data, and (B) responds to IPS/IDS
warnings to not go through with data transfer.

Now, as a vast improvement to typical firewall and IPS
behavior, I think it's a cool idea to have an IDS/IPS effect
a transfer of a connection from the actual targeted host
to a honeypot, instead of simply dropping the traffic.

Such a system would expand the scope of honeypot data
collection to actively taking over connections or attempted
connections from other systems, rather than sitting there
passively waiting for traffic only on its delegated network
address space.

In addition, I think it would be interesting to try this
technique with takeover of an encrypted connection.

It's worth exploring, discussing.

My .02 cents worth. 

-- 
Excellence in InfoSec and Linux
http://www.altsec.info
Received on Oct 14 2005
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
edgeos