Honeypots mailing list archives
RE: search for master of science project topic
From: "Stejerean, Cosmin" <cosmin () cti depaul edu>
Date: Fri, 14 Oct 2005 13:19:47 -0500
What you mentioned sounds a lot like a bait and switch honeypot. I believe the idea is to migrate both the process in question and the connection to the honeypot so if a vulnerable server is exploited with a buffer overflow attack the process will be migrated to the honeypot and any connection from the attack will be redirected to the honeypot. This would be a step further than regular network based bait and switch honeypot because the HIDS would be able to detect when a process makes unusual system calls etc, as well as transfer the process image and everything else to the honeypot. The difficulty is in carefully migrating the process over and deciding what can or cannot be migrated. Cosmin -----Original Message----- From: Packet Man [mailto:packetman () altsec info] Sent: Friday, October 14, 2005 12:20 PM To: gangadhar npk Cc: Zack.Payton () MWAA com; dewadedw () yahoo com; honeypots () securityfocus com Subject: Re: search for master of science project topic gangadhar npk wrote:
It seems to be a very interesting thought. Correct me if I am wrong in
understanding this -
the basic premise is that, once the 'monitor' identifies a process that is
not conforming to the usual practice (say via anamoly detection), it silently transfers the process image to a honeypot - without disruption of anysort and the process runs within the honeypot (a VM, in all probability).
May be initially one can only take care of the socket connections, and then
move to the part of file handles, memmaps and others.
Was this attempted before - I don't know, hence the question. Thanks Gangadhar -----Original Message----- From: "Payton, Zack" <Zack.Payton () MWAA com> To: <dewadedw () yahoo com>, <honeypots () securityfocus com> Date: Tue, 11 Oct 2005 11:09:17 -0400 Subject: RE: search for master of science project topic Sure, What about writing a paper about the best way to monitor processes on a production box and processes transfer and tcp redirect to honeypot in event of anomaly. Zack
I think that's an intruiging idea. It melds intrusion protection with a honeypot, one that would require re-engineering a honeypot. Zack, if I get you right, the following would occur: 1. IDS detects suspicious/malicious traffic 2. The connection state would be transferred to the honeypot 3. The connection route would be redirected to the honeypot 4. The honeypot would spoof the original host and start gathering data I'm not sure of the usefulness/feasibility though. It would surely require a HIDS client on the target that (A) works with the IDS and honeypot to effect a transfer of connection and state data, and (B) responds to IPS/IDS warnings to not go through with data transfer. Now, as a vast improvement to typical firewall and IPS behavior, I think it's a cool idea to have an IDS/IPS effect a transfer of a connection from the actual targeted host to a honeypot, instead of simply dropping the traffic. Such a system would expand the scope of honeypot data collection to actively taking over connections or attempted connections from other systems, rather than sitting there passively waiting for traffic only on its delegated network address space. In addition, I think it would be interesting to try this technique with takeover of an encrypted connection. It's worth exploring, discussing. My .02 cents worth. -- Excellence in InfoSec and Linux http://www.altsec.info
Attachment:
smime.p7s
Description:
Current thread:
- search for master of science project topic dewadedw (Oct 09)
- 100% CPU utilization ???? George Kryparos (Oct 12)
- <Possible follow-ups>
- RE: search for master of science project topic Payton, Zack (Oct 11)
- Re: search for master of science project topic Valdis . Kletnieks (Oct 11)
- Re: search for master of science project topic NAHieu (Oct 12)
- Re: search for master of science project topic Valdis . Kletnieks (Oct 12)
- Re: search for master of science project topic Valdis . Kletnieks (Oct 11)
- Re: RE: search for master of science project topic gangadhar npk (Oct 14)
- Re: search for master of science project topic Packet Man (Oct 14)
- RE: search for master of science project topic Stejerean, Cosmin (Oct 14)
- Re: search for master of science project topic Harry Hoffman (Oct 14)
- Re: search for master of science project topic Nomellames nunca (Oct 16)
- Re: search for master of science project topic Harry Hoffman (Oct 14)