Pantek Library
Hosting Provided By
CybrHost
High Speed Hosting
Mailing Lists: securityfocus.com > focus-ids > 03 > 020418.html (Request Expert securityfocus.com Support)

Re: Protocol Anomaly Detection IDS - Honeypots

From: Lance Spitzner <lance(at)honeynet.org>
Date: Thu Feb 20 2003 - 13:58:58 EST


On Wed, 19 Feb 2003, Robert Graham wrote:

> People have been hoping that there is some sort of magic-pill technology that

Okay, I'll admit, to me alot of the security problems I see are nothing more then nails, and honeypots are the hammer. However, seriously, have folks considered the detection capabilities of honeypots? The reason I bring this up in this thread, is for honeypots, everything is an anamoly. The concept of a honeypot is it has no production or authorized activity. Everything it captures its way is most likely malicious activity. Not only that, but you dramaticaly reduce 'noise'. Instead of dealing with 5,000 alerts a day (not that high of a number for many organizations) a honeypot in the same environment could only generate 5 or 10 alerts a day, alerts you most likely need to take action on. These small data sets can make it far easier and cost effective to identify and act on unauthorized activity.

I'm in no way suggesting that honeypots replace any existing detection technologies, I'm suggesting that can contribute. Personally, I feel the concept of deception has overshadowed the value of honeypots, when one of their true values lies in detection.

lance


Does your IDS have Intelligent Attack Profiling? If not, see what you're missing.
Download a free 15-day trial of StillSecure Border Guard. http://www.securityfocus.com/stillsecure Received on Thu Feb 20 14:19:19 2003

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:01:10 EDT

Contact Us  Legal Notices  Order Services Online 
Pantek Home  Privacy Policy  IT news  Site Map  Pantek Library