IDS mailing list archives

Re: Protocol Anomaly Detection IDS - Honeypots

From: "dreamwvr () dreamwvr com" <dreamwvr () dreamwvr com>
Date: Thu, 20 Feb 2003 23:56:56 -0700

On Thu, Feb 20, 2003 at 07:48:36PM -0500, Rob Shein wrote:

I have to agree entirely.  A lot of people think of a honeypot as something
set up to look like a wildly insecure box.  What I like to do is set one up
to look like most of the other network-available boxes, but with a slight
twist, like an open port that the others don't have.  It doesn't have to be
incredibly appealing, just a chink in the armor will draw attackers to it.
In "The Seven Samurai," the leader of the group states "Every good castle
must have a weakness in its defense."  He then uses that deliberate weakness
to lure attackers to that one spot, where he waits.  That's exactly what I
go for with a honeypot, and it works pretty darn well too :)

I would agree as well. It is often those that have perceived themselves
as invincible that provide the greatest flaws. As I alluded to earlier 
I see a hybrid arrangement with say the IDS running in bridge mode 
while the honeypot lives in a virtual space.. jail if you will with
the vulnerability 'emulation' recording over to write once CD. 
This would seem to be a interesting project. Then blend the two 
technologies by meeting somewhere in the middle for analysis. 
The "Seven Samurai" and that thought pattern could lend well
to Internet Security. Providing that one did not rely too heavily
on them necessarily taking the bait. There are more arts of deception
than just those being used in the computer realm. So if one leveraged
that judicially there might be some true benefits.

Best Regards,
dreamwvr () dreamwvr com

-- 
/*  Security is a work in progress - dreamwvr                 */
#                                                             
# Note: To begin Journey type man afterboot,man help,man hier[.]      
#                                                             
// "Who's Afraid of Schrodinger's Cat?" /var/(.)?mail/me \?  ;-]

-----------------------------------------------------------
Does your IDS have Intelligent Attack Profiling?
If not, see what you're missing.
Download a free 15-day trial of StillSecure Border Guard.
http://www.securityfocus.com/stillsecure

Current thread:

Re: Protocol Anomaly Detection IDS, (continued)
- Re: Protocol Anomaly Detection IDS Yaakov Yehudi (Feb 11)
- RE: Protocol Anomaly Detection IDS Graham, Robert (ISS Atlanta) (Feb 06)
- RE: Protocol Anomaly Detection IDS Adam Powers (Feb 06)
- Re: Protocol Anomaly Detection IDS Jordan K Wiens (Feb 06)
- RE: Protocol Anomaly Detection IDS Andrew Plato (Feb 10)
- Re: Protocol Anomaly Detection IDS Martin Roesch (Feb 18)
  - Re: Protocol Anomaly Detection IDS Robert Graham (Feb 20)
    - Re: Protocol Anomaly Detection IDS - Honeypots Lance Spitzner (Feb 20)
    - Re: Protocol Anomaly Detection IDS - Honeypots dreamwvr () dreamwvr com (Feb 20)
    - RE: Protocol Anomaly Detection IDS - Honeypots Rob Shein (Feb 20)
    - Re: Protocol Anomaly Detection IDS - Honeypots dreamwvr () dreamwvr com (Feb 21)
    - Re: Protocol Anomaly Detection IDS - Honeypots Gene Yoo (Feb 25)
    - Message not available
    - Re: Protocol Anomaly Detection IDS - Honeypots Bob Radvanovsky (Feb 20)