IDS Focus (focus-ids) Mailing List

Re: Honeypots, what is their limits for intrusion detection?

Wed, 1 Jul 2009 18:45:33 -1000

Posted by r00t on Jul 1

Hi Tomas,

That is not true. There are many types of honeypots and honeynets.
What that person may have been talking about are low interaction
honeypots as opposed to high interaction honeypots. High interaction
honeypots allow and attacker into the machine (since they are
purposely...

Re: Honeypots, what is their limits for intrusion detection?

Wed, 1 Jul 2009 19:49:47 -0400

Posted by Albert Gonzalez on Jul 1

Tomas,

From a misuse detection pov it will obiviously alert you on potential
attacks to a honeypot. But any and all traffic destined to a honeynet
(pot) should be deemed suspicious or malicious as there is no
legitimate reason for communication between these hosts and others.
...

Honeypots, what is their limits for intrusion detection?

Wed, 01 Jul 2009 10:18:53 +0200

Posted by Tomas Olsson on Jul 01

Hi,
I have a newbie question related to intrusion detection. It was
suggested to me that Honeypots only catches automated attacks, is that
true? How can we know which attacks are not caught? Is there any papers
on what sort of attacks are caught by using honeypots?

Regards
Tomas

...

Re: Snort with an expert system

Tue, 30 Jun 2009 15:23:08 +0200

Posted by Tomas Olsson on Jun 30

So after the precious discussion, I have the following questions:

* Would the following setup be useful (interesting enough to be used)?
(a) a set of sensors reporting "interesting" events from traffic
and from hosts (e.g. from NIDS,...

Re: Snort with an expert system

Tue, 30 Jun 2009 15:30:29 +0200

Posted by Stefano Zanero on Jun 30

Tomas Olsson wrote:

> * Would the following setup be useful (interesting enough to be used)?

Yes, but it's not easy to build in such a generic fashion, mostly
because the contents that you propose to analyze are not machine
readable, but rather human readable. So you would need some sort...

Re: Snort with an expert system

Sun, 28 Jun 2009 21:46:28 -0400

Posted by Martin Roesch on Jun 28

On Fri, Jun 26, 2009 at 4:14 PM, Stefano
Zanero<s.zanero_at_securenetwork.it> wrote:
>>> Not for nothing but #2 is exactly what Sourcefire's been doing since
>>> 2004. Sorry for the commercial but I think I've been pretty outspoken
>>> on this topic since...

Re: Snort with an expert system

Fri, 26 Jun 2009 14:18:53 -0700

Posted by Gary Halleen on Jun 26

I don't disagree with you. In fact, in an earlier message I said that for
operations people (security or network), all noise is a false positive, even
if, technically, it is not really.

Gary

On 6/26/09 12:30 PM, "Stuart Staniford" <sstaniford_at_FireEye.com> wrote:

>...

Re: Snort with an expert system

Fri, 26 Jun 2009 17:00:03 -0500 (CDT)

Posted by mhellman_at_taxandfinance.com on Jun 26

>>> Not for nothing but #2 is exactly what Sourcefire's been doing since
>>> 2004. Sorry for the commercial but I think I've been pretty outspoken
>>> on this topic since 2000 or so...
>
>> Well, I guess I have to pipe in also, then. Cisco is doing the...

Re: Snort with an expert system

Fri, 26 Jun 2009 12:30:45 -0700

Posted by Stuart Staniford on Jun 26

On Jun 25, 2009, at 5:18 PM, Gary Halleen wrote:

> On 6/25/09 3:26 AM, "Stefano Zanero" <s.zanero_at_securenetwork.it>
> wrote:
>
>>> "A false positive is an alert that triggers on normal traffic
>>> where no
>>> intrusion or...

Re: Snort with an expert system

Fri, 26 Jun 2009 22:14:07 +0200

Posted by Stefano Zanero on Jun 26

>> Not for nothing but #2 is exactly what Sourcefire's been doing since
>> 2004. Sorry for the commercial but I think I've been pretty outspoken
>> on this topic since 2000 or so...

> Well, I guess I have to pipe in also, then. Cisco is doing the same. Read
> my...

Re: Snort with an expert system

Thu, 25 Jun 2009 17:18:00 -0700

Posted by Gary Halleen on Jun 25

On 6/25/09 3:26 AM, "Stefano Zanero" <s.zanero_at_securenetwork.it> wrote:

>> "A false positive is an alert that triggers on normal traffic where no
>> intrusion or attack is underway"
>
> That's a good definition, but not really complete....

Re: Snort with an expert system

Thu, 25 Jun 2009 17:26:07 -0700

Posted by Gary Halleen on Jun 25

You're not being a jerk, Greg.

To the security or network operations people, all noise is a false positive.
They want the noise to go away. Marty's discussions on target-based IDS are
dead on.

This is an area where IDS/IPS products are evolving, and so are the
monitoring consoles.

You...

Re: Snort with an expert system

Fri, 26 Jun 2009 10:17:23 -0400

Posted by Martin Roesch on Jun 26

Inline...

On Thu, Jun 25, 2009 at 5:12 PM, Richard Bejtlich<taosecurity_at_gmail.com> wrote:
> On Thu, Jun 25, 2009 at 2:55 PM, Greg Shipley<gshipley_at_neohapsis.com> wrote:
>>
>> I respect the spirited and intelligent conversation here, but at the
...

Re: Snort with an expert system

Thu, 25 Jun 2009 17:28:06 -0700

Posted by Gary Halleen on Jun 25

Well, I guess I have to pipe in also, then. Cisco is doing the same. Read
my book "Security Monitoring with CS-MARS" for more info.

Gary

On 6/25/09 1:29 PM, "Martin Roesch" <roesch_at_sourcefire.com> wrote:

> Not for nothing but #2 is exactly what...

Re: Snort with an expert system

Thu, 25 Jun 2009 17:12:31 -0400

Posted by Richard Bejtlich on Jun 25

On Thu, Jun 25, 2009 at 2:55 PM, Greg Shipley<gshipley_at_neohapsis.com> wrote:
>
> I respect the spirited and intelligent conversation here, but at the
> risk of sounding like a) an old guy that's been following this stuff
> for too long and b) a complete jerk:
>
...