IDS mailing list archives
Re: Protocol Anomaly Detection IDS - Honeypots
From: "dreamwvr () dreamwvr com" <dreamwvr () dreamwvr com>
Date: Thu, 20 Feb 2003 23:56:56 -0700
On Thu, Feb 20, 2003 at 07:48:36PM -0500, Rob Shein wrote:
I have to agree entirely. A lot of people think of a honeypot as something set up to look like a wildly insecure box. What I like to do is set one up to look like most of the other network-available boxes, but with a slight twist, like an open port that the others don't have. It doesn't have to be incredibly appealing, just a chink in the armor will draw attackers to it. In "The Seven Samurai," the leader of the group states "Every good castle must have a weakness in its defense." He then uses that deliberate weakness to lure attackers to that one spot, where he waits. That's exactly what I go for with a honeypot, and it works pretty darn well too :)
I would agree as well. It is often those that have perceived themselves as invincible that provide the greatest flaws. As I alluded to earlier I see a hybrid arrangement with say the IDS running in bridge mode while the honeypot lives in a virtual space.. jail if you will with the vulnerability 'emulation' recording over to write once CD. This would seem to be a interesting project. Then blend the two technologies by meeting somewhere in the middle for analysis. The "Seven Samurai" and that thought pattern could lend well to Internet Security. Providing that one did not rely too heavily on them necessarily taking the bait. There are more arts of deception than just those being used in the computer realm. So if one leveraged that judicially there might be some true benefits. Best Regards, dreamwvr () dreamwvr com -- /* Security is a work in progress - dreamwvr */ # # Note: To begin Journey type man afterboot,man help,man hier[.] # // "Who's Afraid of Schrodinger's Cat?" /var/(.)?mail/me \? ;-] ----------------------------------------------------------- Does your IDS have Intelligent Attack Profiling? If not, see what you're missing. Download a free 15-day trial of StillSecure Border Guard. http://www.securityfocus.com/stillsecure
Current thread:
- Re: Protocol Anomaly Detection IDS, (continued)
- Re: Protocol Anomaly Detection IDS Yaakov Yehudi (Feb 11)
- RE: Protocol Anomaly Detection IDS Graham, Robert (ISS Atlanta) (Feb 06)
- RE: Protocol Anomaly Detection IDS Adam Powers (Feb 06)
- Re: Protocol Anomaly Detection IDS Jordan K Wiens (Feb 06)
- RE: Protocol Anomaly Detection IDS Andrew Plato (Feb 10)
- Re: Protocol Anomaly Detection IDS Martin Roesch (Feb 18)
- Re: Protocol Anomaly Detection IDS Robert Graham (Feb 20)
- Re: Protocol Anomaly Detection IDS - Honeypots Lance Spitzner (Feb 20)
- Re: Protocol Anomaly Detection IDS - Honeypots dreamwvr () dreamwvr com (Feb 20)
- RE: Protocol Anomaly Detection IDS - Honeypots Rob Shein (Feb 20)
- Re: Protocol Anomaly Detection IDS - Honeypots dreamwvr () dreamwvr com (Feb 21)
- Re: Protocol Anomaly Detection IDS - Honeypots Gene Yoo (Feb 25)
- Re: Protocol Anomaly Detection IDS Robert Graham (Feb 20)
- Message not available
- Re: Protocol Anomaly Detection IDS - Honeypots Bob Radvanovsky (Feb 20)