Re: [PEN-TEST] Recourse Technolo

[LEE FISHER <LEE.FISHER () BCBSSC COM>]

Not every network is the same and the tools used must be tailored for that
network and the threat, which may or may not create the need for installing a
honeypot.  Everyone seems to be concentrating on using the honeypot on the
external side, but it can be  useful flypaper for the internal side of
networks.  Insider issues must be addressed in any layered defense plan and
there are some valuable plus to deploying an internal honeypot.



LF

------------------( Forwarded letter 1 follows )---------------------
Date:         Tue, 3 Oct 2000 14:14:37 -0700
To: PEN-TEST () SECURITYFOCUS COM inet
From: mark.teicher () NETWORKICE COM inet
Sender: owner-pen-test () SECURITYFOCUS COM inet
Reply-To: Penetration.Testers[PEN-TEST]@SECURITYFOCUS.COM.inet
Subject: Re: [PEN-TEST] Recourse Technologies  -- info wanted

OK

Here we go again.  The definition of what an attack signature is has been
very skewed these days.  Each IDS vendor has their own definition of what
an attack signature is, this also goes for people who used to be involved
in Security scanner type development.  How one vendor defines a signature
is completely different from the next.  Sales/Marketing people use the
signature game to land a sale when in fact an IDS with less "signatures"
per se may be a better product than the others.  Throwing in Bad URL's or
porn sites is  good way of fatterning up one's signature base.

Pattern Matching or Full Protocol Analysis is the differentiator, once you
are at the packet level, only a few IDS vendors can actually analyze lots
of traffic (Big Pipes) instead of small to medium pipes.

The essence of it is probably in the heuristics of the protocol analysis
of the would be attack.  Once you have licked this issue as some IDS
vendors have, optimizing it is the next real issue.

The issue with ManTrap/ManHunt is that it really isn't designed to handle
lots of connections at once, and one small TCP ESTAB that is doing
something malicious

If someone comes up a way to do this, please feel free to post.

I was just commenting on the fact that a HoneyPot should need not to be
fast, but able to capture a hacker's input and be able to assemble a
reasonable recording of what the hack attempts where and provide some sort
of feedback on how certain systems should be tuned to avoid being hacked
in real time..



 On Tue, 3 Oct 2000, Oliver
Friedrichs wrote:

> I've come to believe that this is more of a marketing tactic than an actual
> fact.  I can believe that this would be true for an IDS with only a few
> signatures enabled, or one doing offline processing, but an IDS that is
> doing pattern matches on over 700 signatures in realtime, this is
> practically infeasible.  Feel free to prove me wrong, but I've heard from
> several people, even friends working for competing companies, that claim
> their IDS does this, and I don't believe it.  My reasoning is that for me to
> believe this there has to be proven facts, rather than marketing hype.  And
> I would also want to understand their algorithm for doing this, which I
> don't believe any of them have made public.  This is very similar to the
> scanner market, where each vendor may have their own method for detecting a
> particular vulnerability, the the customer places implicit trust in the
> vendor, with very few having any idea what happens under the hood.
>
> I doubt this will change anytime soon though, after-all who would want to
> release such a detailed specification of their product, in fear of losing
> their perceived advantage.
>
> - Oliver
>
> > -----Original Message-----
> > From: Mark Teicher [mailto:mark.teicher () NETWORKICE COM]
> > Sent: Tuesday, October 03, 2000 8:43 AM
> > To: PEN-TEST () SECURITYFOCUS COM
> > Subject: Re: [PEN-TEST] Recourse Technologies -- info wanted
> >
> >
> > I would like to see them prove the following statement: "With
> > 100 percent data capture at volumes exceeding 1 Gbps"..
> > Since only a few
> > IDS vendors are capable of capturing data at volumes of 1 Gbps
> >
> > /mark
> >
> >
> > At 11:08 PM 10/2/00 -0400, subscribe wrote:
> > > ManTrap and ManHunt:
> > >
> > > coded in C++ and Java...the usual JAVA for the GUI viewing....
> > >
> > > what else?
> > >  >> oh, has 'typical' signatures coded in software, BUT
> > also has 'anomaly'
> > > based signatures as well...not pure 'anomaly', but it has
> > been coded in a
> > > way that it attempts to take a known signature, tweak it a bit (for
> > > example, slow the packets down, etc.), and treat that as a
> > threat as well.
> > > In layman's terms, it knows what all IDS know, and a step beyond it
> > > attempts to pre-empt new attacks which are based on old ones
> > via these
> > > anomaly signatures.
> > >
> > > c.t.
> > >
> > >
> > >
> > >
> > > > Hello:
> > > >
> > > > Has anybody dealt with or know about Recourse Technologies
> > > > (www.recoursetechnologies.com) and its products?  Any
> > info is appreciated.
> > > > Thanks,
> > > > -andrew