Pantek Library
Hosting Provided By
CybrHost
High Speed Hosting
Mailing Lists: securityfocus.com > focus-ids > 03 > 020442.html (Request Expert securityfocus.com Support)

RES: Protocol Anomaly Detection IDS - Honeypots

From: Augusto Paes de Barros <augusto(at)paesdebarros.com.br>
Date: Fri Feb 21 2003 - 16:53:33 EST


You are right Rob, but I believe it is very important to be able to detect things like that. The guy could be someone that managed to reach the internal network without the use of common attacks. Phisically, if you want an example. Yes, he is elbows-deep in the goodies. Isn´t it the type of situation that we really need to know about?

I liked when you mentioned database entries. It's my new favourite "honeytoken" now! Let's imagine that the only authorized way to access a DB is through Stored Procedures. If your SP already discard the honeytokens, everytime someone access directly the table, the bogus record will be returned, and detected by the IDS. Quite interesting, don´t you think?

Regards,

Augusto

-----Mensagem original-----
De: Rob Shein [mailto:shoten@starpower.net] Enviada em: sexta-feira, 21 de fevereiro de 2003 16:33 Para: 'Augusto Paes de Barros'; focus-ids@securityfocus.com Assunto: RE: Protocol Anomaly Detection IDS - Honeypots

Interesting notion, but with a few problems. My idea of a honeypot was an untrusted machine that draws fire, so to say, from an attacker. In doing so, it serves the dual roles of concentrating the attacking traffic onto a segment that is far more homogenous (in terms of activity) and therefore easier to monitor, and causing the attacker to focus on a system that will not give him access to anything of any importance. Putting "honey documents" or other data (like database entries or LDAP objects) in the midst of valid data will not draw attention away, and even if they did, detection of them wouldn't get you anything new. If your IDS sees the content that it is to look for in these documents, why wouldn't it have seen any of the attacking traffic to begin with? And either way, the bad guy is already elbows-deep in your goodies at that point.

> -----Original Message-----


Does your IDS have Intelligent Attack Profiling? If not, see what you're missing.
Download a free 15-day trial of StillSecure Border Guard. http://www.securityfocus.com/stillsecure Received on Fri Feb 21 16:58:30 2003

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:01:10 EDT

Do you need help?X
Contact Us  Legal Notices  Order Services Online 
Pantek Home  Privacy Policy  IT news  Site Map  Pantek Library