IDS mailing list archives
RE: Protocol Anomaly Detection IDS - Honeypots
From: "Rob Shein" <shoten () starpower net>
Date: Fri, 21 Feb 2003 16:54:20 -0500
I don't see where you'd place an IDS so that it saw some kinds of LDAP traffic but not others. Especially when there are different LDAP servers connected with WAN links...I don't know of anyone who has dedicated WAN links for LDAP traffic...come to think of it, I don't know anyone who has dedicated networks for it either.
-----Original Message----- From: Jordan K Wiens [mailto:jwiens () nersp nerdc ufl edu] Sent: Friday, February 21, 2003 4:36 PM To: Rob Shein Cc: 'Augusto Paes de Barros'; focus-ids () securityfocus com Subject: RE: Protocol Anomaly Detection IDS - Honeypots Very true; so you have to be careful where you place the IDS given those sorts of issues; the original idea is still valid that there are lots of good uses for honeytokens that can well supplement the 'normal' use of an IDS. -- Jordan Wiens UF Network Incident Response Team (352)392-2061 On Fri, 21 Feb 2003, Rob Shein wrote:Yeah, but if you have more than one LDAP server, and replication, you'll also snag other valid traffic that happens to control the objects in LDAP.-----Original Message----- From: Jordan K Wiens [mailto:jwiens () nersp nerdc ufl edu] Sent: Friday, February 21, 2003 3:13 PM To: Rob Shein Cc: 'Augusto Paes de Barros'; focus-ids () securityfocus com Subject: RE: Protocol Anomaly Detection IDS - Honeypots The point seems to be that it's possible to be eblow-deep in someones networks with relatively 'normal' traffic the IDS won't pick up. A specifically designed web-crawler can sneakright underthe radar of a typical IDS, yet it would easily be detected by a honeytoken. Slowly enumerating all users from a public LDAP directory probably won't be detected by the IDS, but a honeytoken would snag it.
----------------------------------------------------------- Does your IDS have Intelligent Attack Profiling? If not, see what you're missing. Download a free 15-day trial of StillSecure Border Guard. http://www.securityfocus.com/stillsecure
Current thread:
- RES: Protocol Anomaly Detection IDS - Honeypots Augusto Paes de Barros (Feb 21)
- Re: RES: Protocol Anomaly Detection IDS - Honeypots Lance Spitzner (Feb 21)
- RE: RES: Protocol Anomaly Detection IDS - Honeypots Pete Herzog (Feb 21)
- Re: RES: Protocol Anomaly Detection IDS - Honeypots dreamwvr () dreamwvr com (Feb 21)
- RE: Protocol Anomaly Detection IDS - Honeypots Rob Shein (Feb 21)
- RE: Protocol Anomaly Detection IDS - Honeypots Jordan K Wiens (Feb 21)
- RE: Protocol Anomaly Detection IDS - Honeypots Rob Shein (Feb 21)
- RE: Protocol Anomaly Detection IDS - Honeypots Jordan K Wiens (Feb 21)
- RE: Protocol Anomaly Detection IDS - Honeypots Rob Shein (Feb 21)
- RES: Protocol Anomaly Detection IDS - Honeypots Augusto Paes de Barros (Feb 21)
- RE: Protocol Anomaly Detection IDS - Honeypots Rob Shein (Feb 21)
- RE: Protocol Anomaly Detection IDS - Honeypots pbsarnac (Feb 21)
- RE: Protocol Anomaly Detection IDS - Honeypots Jordan K Wiens (Feb 21)
- Re: RES: Protocol Anomaly Detection IDS - Honeypots Lance Spitzner (Feb 21)
- <Possible follow-ups>
- Re: RES: Protocol Anomaly Detection IDS - Honeypots Mike Shaw (Feb 21)
- Re: RES: Protocol Anomaly Detection IDS - Honeypots Frank Knobbe (Feb 25)
- RE: RES: Protocol Anomaly Detection IDS - Honeypots Augusto Paes de Barros (Feb 21)
- Re: RES: Protocol Anomaly Detection IDS - Honeypots Marc Benoit (Feb 21)
- Re: RES: Protocol Anomaly Detection IDS - Honeypots Frank Knobbe (Feb 25)
- Re: RES: Protocol Anomaly Detection IDS - Honeypots Lance Spitzner (Feb 25)