OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
IDS Archives: Re: IDS: RE: Honey pots / decoy servers

Re: IDS: RE: Honey pots / decoy servers

Wagner Brett (wagner_brettbah.com)
Wed, 25 Aug 1999 15:00:37 -0400

FAQ: See http://www.ticm.com/kb/faq/idsfaq.html
IDS: See http://www-rnks.informatik.tu-cottbus.de/~sobirey/ids.html
HELP: Having problems... email questions to ids-owneruow.edu.au
NOTE: Remove this section from reply msgs otherwise the msg will bounce.
SPAM: DO NOT send unsolicted mail to this list.
USUBSCRIBE: email "unsubscribe ids" to majordomouow.edu.au
--------------------------------------------------------------------------- 

---
All,

I am not a "Honey Pot" expert however, I worked for Internetworking and
their product GTE Sentinel was able to do this per the developers.  I
know a little about this particular product and it seemed like a good
choice.  I do not work there any longer so I do not think I am biased. 
On another note can security professionals accomplish the same thing
with deception tool kit and some other free tools?

Cheers
Brett

"Martins, Fernando (Lisbon)" wrote:
> 
> FAQ: See http://www.ticm.com/kb/faq/idsfaq.html
> IDS: See http://www-rnks.informatik.tu-cottbus.de/~sobirey/ids.html
> HELP: Having problems... email questions to ids-owneruow.edu.au
> NOTE: Remove this section from reply msgs otherwise the msg will bounce.
> SPAM: DO NOT send unsolicted mail to this list.
> USUBSCRIBE: email "unsubscribe ids" to majordomouow.edu.au
> ---------------------------------------------------------------------------
> ---
> Hi2all
> 
> I'm reading some info on Cybercop too, but not enough to jump to a valid conclusion, like .... "i can dump that"
> 
> But ... lets brainstorming a little ...
> 
> Thinking about the networks and subnetworks that the honeypot can have ... if i start to ping and trace IPs there, is there any simulation of delays between hosts? ramdom? fixed? if a standard in found ... thats a honeypot, because in real enviroment pings and traces can gives us similar delays, but not allways the same ...
> Comments, tips, flames? =;o)
> 
> Thinking in OS fingerprint ... (anyone can continue, because i cant ... eheh)
> 
> Kind Regards,
> Fernando Martins
> 
> > -----Original Message-----
> > From: Jon Speer [SMTP:speertripwiresecurity.com]
> > Sent: Ter> ça-feira, 24 de Agosto de 1999 21:39
> > To:   idsuow.edu.au
> > Subject:      IDS: Honey pots / decoy servers
> >
> > Honeypots and decoy servers have been around for years, and at one time or another many of us have experimented with the Deception ToolKit or similar technologies.  I am now seeing plenty of press coverage for products like Recourse ManHunt and Network Associates Cybercop Sting, generally associated with collecting forensics evidence.
> >
> > My question is.. do they really work very well?  It seems to me that it couldn't be that hard to learn enough characteristics of behavior of each of these to detect when you encounter one, and that it wouldn't be all that effective at getting more info than your last jump point.  Has anyone actually gathered admissible evidence from this kind of technology?
> >
> > Thanks,
> > Jon Speer
> > Tripwire
> >
> > ** My thoughts here are not representative of my employers **
> >

This archive was generated by hypermail 2.0b3 on Thu Aug 26 1999 - 02:50:17 CDT