Re: RES: Protocol Anomaly Detection IDS - Honeypots
From: Lance Spitzner (lance@honeynet.org)
Date: 02/21/03
- Previous message: Augusto Paes de Barros: "RES: Protocol Anomaly Detection IDS - Honeypots"
- In reply to: Augusto Paes de Barros: "RES: Protocol Anomaly Detection IDS - Honeypots"
- Next in thread: Pete Herzog: "RE: RES: Protocol Anomaly Detection IDS - Honeypots"
- Reply: Pete Herzog: "RE: RES: Protocol Anomaly Detection IDS - Honeypots"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 21 Feb 2003 10:36:56 -0600 (CST) From: Lance Spitzner <lance@honeynet.org> To: Augusto Paes de Barros <augusto@paesdebarros.com.br>
On Fri, 21 Feb 2003, Augusto Paes de Barros wrote:
> Lance's point can be expanded in very interesting views. Why use only
> honeypots "hosts" or "nets", when whe can use accounts, documents, info,
> etc? I was developing an idea that I call "honeytokens", to use on Windows
> networks. Basically, information that shouldn't be flowing over the network
> and, if you can detect it, something wrong is happening.
Ohh, ooh! Very cool suggestion Augusto! This is something I never
thought of. Create documents, webpages, or resources that no one should
be accessing. You create these resources with specific, obvious signatures
so your detections mechanisms (logs, IDS sensors, etc) can easily pick
them up. If you detect these resources being moved around your network,
you know something is up!
For example, you create a word document that has the title of payroll
or 'research and development'. You put whatever fluff you want in the
document, and give it a "tracking number", such as 14A8478bG98734T90AAZ.
Now, you simply create a signature looking for that "tracking number".
The concept would be to create resources that no one should be accessing
(the honeytoken) but is easily detectable if they do. You would have to
ensure the signature, as in this case the tracking number, is unique enough
that it minizimes, if not eliminate, false positives.
This potentially opens a whole new world to honeypot concepts :)
very cool :)
lance
-----------------------------------------------------------
Does your IDS have Intelligent Attack Profiling?
If not, see what you're missing.
Download a free 15-day trial of StillSecure Border Guard.
http://www.securityfocus.com/stillsecure
- Next message: Mike Shaw: "Re: RES: Protocol Anomaly Detection IDS - Honeypots"
- Previous message: Augusto Paes de Barros: "RES: Protocol Anomaly Detection IDS - Honeypots"
- In reply to: Augusto Paes de Barros: "RES: Protocol Anomaly Detection IDS - Honeypots"
- Next in thread: Pete Herzog: "RE: RES: Protocol Anomaly Detection IDS - Honeypots"
- Reply: Pete Herzog: "RE: RES: Protocol Anomaly Detection IDS - Honeypots"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
