IDS mailing list archives

Re: RES: Protocol Anomaly Detection IDS - Honeypots

From: Frank Knobbe <fknobbe () knobbeits com>
Date: 21 Feb 2003 18:33:17 -0600

On Fri, 2003-02-21 at 10:54, Mike Shaw wrote:

For example, you create a word document that has the title of payroll
or 'research and development'.  You put whatever fluff you want 
in the
document, and give it a "tracking number", such as 14A8478bG98734T90AAZ.


This is something I've been doing on my production networks for a couple years now, but at more than the wire level.

Think:
Excel spreadsheets of bogus usernames and passwords.
Fake info being passed over AIM and other cleartext protocols on a hub.
Bogus customer records in a banking app.
Bogus hosts in host lists.
File names that should never be in a directory scan.
False DNS entries such as "accounting.domain.com"

The possibilities are endless.



Yes, they are. When discussion this, we have to be careful to not
overstep the fine line that differentiates the honeytoken idea with a
copy-bug or deception-pools.

A copy-bug is a marker embedded in a document that lets you identify an
illegal copy. Most widely used are grammatical or typographical errors.
If someone reproduces a document titled 'The Delcaration of
Independence' you can spot because you know that you marked it with that
typo.

A deception pool is a stash of falsified documents (think research data)
amongst which you hide the real document. Imagine a folder called
Research with the files Result00001.doc until Result99999.doc. Only
Result77453.doc contains the real result.

Copy-bugs can be tracked just like you would zoom in on a honeytoken,
but they do not attract like a honeypot. A deception-pool provides a lot
of false info, just like a honeypot/honeytoken, but again does not
attract. Honeypots, while providing false info, attract the hacker so we
can learn about their techniques. 

Don't get me wrong, the idea of honeytokens it great. But we have to be
careful that don't give an old horse a new name.

Cheers,
Frank

Attachment: signature.asc
Description: This is a digitally signed message part

Current thread:

RE: Protocol Anomaly Detection IDS - Honeypots, (continued)
- RE: Protocol Anomaly Detection IDS - Honeypots Rob Shein (Feb 21)
  - RE: Protocol Anomaly Detection IDS - Honeypots Jordan K Wiens (Feb 21)
    - RE: Protocol Anomaly Detection IDS - Honeypots Rob Shein (Feb 21)
    - RE: Protocol Anomaly Detection IDS - Honeypots Jordan K Wiens (Feb 21)
    - RE: Protocol Anomaly Detection IDS - Honeypots Rob Shein (Feb 21)
    - RES: Protocol Anomaly Detection IDS - Honeypots Augusto Paes de Barros (Feb 21)
    - RE: Protocol Anomaly Detection IDS - Honeypots Rob Shein (Feb 21)
    - RE: Protocol Anomaly Detection IDS - Honeypots pbsarnac (Feb 21)
  - RES: Protocol Anomaly Detection IDS - Honeypots Augusto Paes de Barros (Feb 21)
- Re: RES: Protocol Anomaly Detection IDS - Honeypots Mike Shaw (Feb 21)
  - Re: RES: Protocol Anomaly Detection IDS - Honeypots Frank Knobbe (Feb 25)
- RE: RES: Protocol Anomaly Detection IDS - Honeypots Augusto Paes de Barros (Feb 21)
- Re: RES: Protocol Anomaly Detection IDS - Honeypots Marc Benoit (Feb 21)
- Re: RES: Protocol Anomaly Detection IDS - Honeypots Frank Knobbe (Feb 25)
  - Re: RES: Protocol Anomaly Detection IDS - Honeypots Lance Spitzner (Feb 25)