Re: Honeypots, what is their limits for intrusion detection?

Tomas,

From a misuse detection pov it will obiviously alert you on potential attacks to a honeypot. But any and all traffic destined to a honeynet (pot) should be deemed suspicious or malicious as there is no legitimate reason for communication between these hosts and others. This could also serve as an early warning system since all trafic is suspicious at the very least.

A honeypot(net) are also not productional systems so their downtime for analysis is not problem and this is where the true value comes in. An IDS can't tell you if successful or not just that it saw something with ful blown access such detrmination can be made on top of method, tools and what they did once they got in, etc...

A great use-case. There was a worm released with no A/V or IDS covrage that was discovered through the traffic generated towards the honeynet.

Hope that helps,

----
Sent from my iPhone

On Jul 1, 2009, at 4:18 AM, Tomas Olsson <tol@xxxxxxx> wrote:

Hi,
I have a newbie question related to intrusion detection. It was suggested to me that Honeypots only catches automated attacks, is that true? How can we know which attacks are not caught? Is there any papers on what sort of attacks are caught by using honeypots?

Regards
Tomas


-----------------------------------------------------------------
Securing Your Online Data Transfer with SSL.
A guide to understanding SSL certificates, how they operate and their application. By making use of an SSL certificate on your web server, you can securely collect sensitive information online, and increase business by giving your customers confidence that their transactions are safe.
http://www.dinclinx.com/Redirect.aspx?36;5001;25;1371;0;1;946;9a80e04e1a17f194



-----------------------------------------------------------------
Securing Your Online Data Transfer with SSL.
A guide to understanding SSL certificates, how they operate and their application. By making use of an SSL certificate on your web server, you can securely collect sensitive information online, and increase business by giving your customers confidence that their transactions are safe.
http://www.dinclinx.com/Redirect.aspx?36;5001;25;1371;0;1;946;9a80e04e1a17f194

Relevant Pages

  • Re: Honeypots, what is their limits for intrusion detection?
    ... There are many types of honeypots and honeynets. ... You should look into the honeynet ... me that Honeypots only catches automated attacks, ... A guide to understanding SSL certificates, ...
    (Focus-IDS)
  • Re: Why not "restart" IT as a lisp world using "adminsitrative" IDs numbers kind as symbol and "memo
    ... SSL certificates are essential to authenticate the only widely available secure means of accessing URLs that we have (HTTPS) so of course SSL certificates are relevant to the verifiable functioning of the URL system. ... Without SSL certificates man-in-the-middle attacks would be rampant; no one could be sure that the URL they thought they were connecting to was actually that URL or a site some hacker had redirected them to. ... The locks on your doors are not the only thing keeping others out; the knowledge that they could very well go to prison for it is a major factor keeping your home safe whether the locks are un-pickable or not. ...
    (comp.lang.lisp)
  • Re: IDS is dead, etc
    ... I agree Lance, but they don't reduce the analysis manpower required (in some ... honeypot against data from attacks that target critical assets is valuable, ... not to mention requiring a level of expertise that makes IDS ... The attackers who are hitting the honeypots will be ...
    (Focus-IDS)
  • Re: HMAC-MD5 not vulnerable?
    ... Tom St Denis wrote: ... > So if you force the inside to collide you force outside to collide. ... not preimage attacks. ... They do not even seem a major danger to FUTURE SSL certificates, ...
    (sci.crypt)
  • Re: Honeypots, what is their limits for intrusion detection?
    ... I'll first say that honeypots are not a substitute for a decent IDS/IPS posture, ... I consider honeypot use an advanced technology that has only minimal value to most shops. ... - automated attacks that include your honeypot/net ...
    (Focus-IDS)