Honeypots mailing list archives
Re: IDS and honeypots
From: Valdis.Kletnieks () vt edu
Date: Wed, 30 Apr 2003 14:20:10 -0400
On Wed, 30 Apr 2003 14:28:17 +0200, rnoble <rnoble () petech ac za> said:
I'm investigating the idea of using the traffic captured by a honeypot = (in theory all data should be suspicious) and filtering out legal = traffic and traffic captured by existing misuse IDS signatures and using = the remainder to automatically create new signatures in order to update = IDS a IDS database
The problem you get is that if the attacker uses a 0day to get into the box, you'll get a new IDS tag for that - but if he then installs a backdoor and telnets in, you'll also get new IDS signatures for telnet traffic with a packet 'a', 'b', 'c'.... Whoops. ;) (Same issue for anything else the attacker might do that resembles usual traffic - and remember that a *lot* of the attacker's traffic is going to look very similar to "production" traffic, just with different *INTENT*, which is very hard for an IDS to gauge unless it has an AI component.)
Attachment:
_bin
Description:
Current thread:
- IDS and honeypots rnoble (Apr 30)
- Re: IDS and honeypots Valdis . Kletnieks (Apr 30)
- Re: IDS and honeypots Niels Provos (Apr 30)
- Re: IDS and honeypots Christian Kreibich (May 01)
- Re: IDS and honeypots Eric Arnoth (Apr 30)
- Re: IDS and honeypots ramos (May 02)