Re: RES: Protocol Anomaly Detection IDS - Honeypots

From: Lance Spitzner <lance(at)honeynet.org>
Date: Fri Feb 21 2003 - 11:36:56 EST

On Fri, 21 Feb 2003, Augusto Paes de Barros wrote:

> Lance's point can be expanded in very interesting views. Why use only

Ohh, ooh! Very cool suggestion Augusto! This is something I never thought of. Create documents, webpages, or resources that no one should be accessing. You create these resources with specific, obvious signatures so your detections mechanisms (logs, IDS sensors, etc) can easily pick them up. If you detect these resources being moved around your network, you know something is up!

For example, you create a word document that has the title of payroll or 'research and development'. You put whatever fluff you want in the document, and give it a "tracking number", such as 14A8478bG98734T90AAZ. Now, you simply create a signature looking for that "tracking number". The concept would be to create resources that no one should be accessing (the honeytoken) but is easily detectable if they do. You would have to ensure the signature, as in this case the tracking number, is unique enough that it minizimes, if not eliminate, false positives.

This potentially opens a whole new world to honeypot concepts :)

very cool :)

lance

---

Does your IDS have Intelligent Attack Profiling? If not, see what you're missing.
Download a free 15-day trial of StillSecure Border Guard. http://www.securityfocus.com/stillsecure Received on Fri Feb 21 11:42:58 2003