RES: Protocol Anomaly Detection IDS - Honeypots

From: Augusto Paes de Barros (augusto@paesdebarros.com.br)
Date: 02/21/03

  • Next message: Lance Spitzner: "Re: RES: Protocol Anomaly Detection IDS - Honeypots"
    Date: Fri, 21 Feb 2003 11:17:46 -0000
    From: "Augusto Paes de Barros" <augusto@paesdebarros.com.br>
    To: focus-ids@securityfocus.com
    
    

    Lance's point can be expanded in very interesting views. Why use only
    honeypots "hosts" or "nets", when whe can use accounts, documents, info,
    etc? I was developing an idea that I call "honeytokens", to use on Windows
    networks. Basically, information that shouldn't be flowing over the network
    and, if you can detect it, something wrong is happening.

    --
    Augusto Paes de Barros, CISSP
    http://www.paesdebarros.com.br
    augusto@paesdebarros.com.br
    -----Mensagem original-----
    De: Lance Spitzner [mailto:lance@honeynet.org]
    Enviada em: quinta-feira, 20 de fevereiro de 2003 15:59
    Para: Robert Graham
    Cc: Focus on Intrusion Detection Systems; slyph@alum.mit.edu
    Assunto: Re: Protocol Anomaly Detection IDS - Honeypots
    On Wed, 19 Feb 2003, Robert Graham wrote:
    > People have been hoping that there is some sort of magic-pill technology
    that
    > solves the problem of IDS. "Protocol-anomaly detection" is one of those
    > buzzwords that promises a magic pill.
    Okay, I'll admit, to me alot of the security problems I see are nothing
    more then nails, and honeypots are the hammer.  However, seriously, have
    folks
    considered the detection capabilities of honeypots?  The reason I bring
    this up in this thread, is for honeypots, everything is an anamoly.  The
    concept of a honeypot is it has no production or authorized activity.
    Everything it captures its way is most likely malicious activity.  Not
    only that, but you dramaticaly reduce 'noise'.  Instead of dealing with
    5,000 alerts a day (not that high of a number for many organizations) a
    honeypot in the same environment could only generate 5 or 10 alerts a day,
    alerts you most likely need to take action on.  These small data sets
    can make it far easier and cost effective to identify and act on
    unauthorized activity.
    I'm in no way suggesting that honeypots replace any existing detection
    technologies, I'm suggesting that can contribute.  Personally, I feel
    the concept of deception has overshadowed the value of honeypots, when
    one of their true values lies in detection.
    lance
    -----------------------------------------------------------
    Does your IDS have Intelligent Attack Profiling?
    If not, see what you're missing.
    Download a free 15-day trial of StillSecure Border Guard.
    http://www.securityfocus.com/stillsecure
    -----------------------------------------------------------
    Does your IDS have Intelligent Attack Profiling?
    If not, see what you're missing.
    Download a free 15-day trial of StillSecure Border Guard.
    http://www.securityfocus.com/stillsecure
    


    Relevant Pages

    • RES: Protocol Anomaly Detection IDS - Honeypots
      ... Assunto: RE: Protocol Anomaly Detection IDS - Honeypots ... > Does your IDS have Intelligent Attack Profiling? ...
      (Focus-IDS)
    • Re: Protocol Anomaly Detection IDS - Honeypots
      ... and honeypots are the hammer. ... honeypot in the same environment could only generate 5 or 10 alerts a day, ... I'm in no way suggesting that honeypots replace any existing detection ...
      (Focus-IDS)
    • Re: Protocol Anomaly Detection IDS - Honeypots
      ... Problem is -- is that executives are not technology savy, ... and honeypots are the hammer. ... detection IDS. ... I have seen too many network engineers misconfigure ...
      (Focus-IDS)
    • RE: Protocol Anomaly Detection IDS - Honeypots
      ... >> detection" is one of those buzzwords that promises a magic pill. ... > are nothing more then nails, and honeypots are the hammer. ... > alerts a day, ... > Does your IDS have Intelligent Attack Profiling? ...
      (Focus-IDS)
    • RE: Protocol Anomaly Detection IDS - Honeypots
      ... detection of them wouldn't get you anything new. ... > are nothing more then nails, and honeypots are the hammer. ... > Does your IDS have Intelligent Attack Profiling? ...
      (Focus-IDS)