Hosting Provided By

RE: RES: Protocol Anomaly Detection IDS - Honeypots

From: Pete Herzog <lists(at)isecom.org>
Date: Fri Feb 21 2003 - 12:00:14 EST

Hi,

this is something we have helped implement using webbugs in MS docs, presentations, and other openable items for an internal honeypot. When opened, they call an image off a small, private webserver which in logging gives us the local IP address of the machine and the time so we can be fairly certain who accessed it. It's used mainly for "warnings". We know it's not perfect but it works. Next we would like to use MP3s and AVIs to do the same thing when opened.

With the idea of honey tokens, I think this really could go to the next level-- even so far as tracking internal reports which get e-mailed or somehow transferred (even with tunnelling) outside the company (as long as no encryption is involved). It adds a whole new paradigm to maintaining internal security and order.

Sincerely,
-pete.

Managing Director
Institute of Security and Open Methodologies www.isecom.org

> -----Original Message-----

Does your IDS have Intelligent Attack Profiling? If not, see what you're missing.
Download a free 15-day trial of StillSecure Border Guard. http://www.securityfocus.com/stillsecure Received on Fri Feb 21 12:07:04 2003

This message: [ Message body ]
Next message: Lau Ker Chea: "ids detect malicious encrypted data?"
Previous message: Mike Shaw: "Re: RES: Protocol Anomaly Detection IDS - Honeypots"
In reply to: Lance Spitzner: "Re: RES: Protocol Anomaly Detection IDS - Honeypots"
In reply to Adam Powers: "RE: Protocol Anomaly Detection IDS - Honeypots"
Next in thread: dreamwvr(at)dreamwvr.com: "Re: RES: Protocol Anomaly Detection IDS - Honeypots"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:01:10 EDT