Re: RES: Protocol Anomaly Detection IDS - Honeypots

From: Lance Spitzner (lance@honeynet.org)
Date: 02/23/03

Next message: Frank Knobbe: "Re: Web server response to attacks"

Previous message: Jack Whitsitt (jofny): "Using an IDS to redirect hostile traffic to a Honeypot"
Maybe in reply to: Augusto Paes de Barros: "RES: Protocol Anomaly Detection IDS - Honeypots"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Sun, 23 Feb 2003 13:24:20 -0600 (CST)
From: Lance Spitzner <lance@honeynet.org>
To: Focus on Intrusion Detection Systems <FOCUS-IDS@SECURITYFOCUS.COM>

On 22 Feb 2003, Frank Knobbe wrote:

> 'bleed' this method into others. The primary goal of a honeypot is to
> look vulnerable and to lure hackers to exploiting it.

This thread most likely should be moved to the honeypots list, as such
this will be my last follow up. However, I just wanted to state that
I would have to disagree the above statement. A honeypot is a highly
flexible tool with a variety of different applications to security
(prevention, detection, research, etc). Its primary goal is whatever
you are attempting to achieve.

For example, LaBrea is an excellent example of a honeypot that
can slow down or prevent automated attacks. Honeyd is an example of how
a honeypot can used for detection. Both work my not luring, but by
monitoring unused IP space. The new bait-n-switch honeypot works not
by luring, but by detecting attacks, then redirecting them against a
honeypot, excellent for information gathering or research. Honeypots
are extremely flexible and can be used for many different primary
goals, one of which I feel is detection.

To be honest, I think the security community has only begun to
tap into the full potential of honeypot technologies.

lance

-----------------------------------------------------------
<Pre>Lose another weekend managing your IDS?
Take back your personal time.
15-day free trial of StillSecure Border Guard.</Pre>
<A href="http://www.securityfocus.com/stillsecure"> http://www.securityfocus.com/stillsecure </A>

Next message: Frank Knobbe: "Re: Web server response to attacks"
Previous message: Jack Whitsitt (jofny): "Using an IDS to redirect hostile traffic to a Honeypot"
Maybe in reply to: Augusto Paes de Barros: "RES: Protocol Anomaly Detection IDS - Honeypots"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

Re: nmap os detection!
... Links from honeypot threads: ... >Subject: nmap os detection! ... >Bid for for Air Tickets @ Re.1 on Air Sahara Flights. ...
(Security-Basics)
RE: Protocol Anomaly Detection IDS - Honeypots
... the true value of the honeypot does lies in detection and the ... Protocol Anomaly Detection IDS - Honeypots ... 5,000 alerts a day a ...
(Focus-IDS)