OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
IDS Archives: RE: IDS: RE: Honey pots / decoy servers

RE: IDS: RE: Honey pots / decoy servers

Lisbon (FMartinspt.imshealth.com)
Thu, 26 Aug 1999 13:24:10 +0200

FAQ: See http://www.ticm.com/kb/faq/idsfaq.html
IDS: See http://www-rnks.informatik.tu-cottbus.de/~sobirey/ids.html
HELP: Having problems... email questions to ids-owneruow.edu.au
NOTE: Remove this section from reply msgs otherwise the msg will bounce.
SPAM: DO NOT send unsolicted mail to this list.
USUBSCRIBE: email "unsubscribe ids" to majordomouow.edu.au
--------------------------------------------------------------------------- 

---
Hi2all

(brainstorm continues ....)
So Marty... we got an entire C class, and some services running in those fake IPs ... in my last post, will the pings ands traceroutes can detect (if made for example during one week of "alive" checks), can found any kind of standard delays between hosts?
(rule one: if the attacker start checking just if there is a sandbox/honeypot, doesnt matter wich services are running, probably he not even got check that in the 1st place ... he just start to ping and traceroute ... low traffic, no attack no scan ... just lets see if everybody got kinda "fixed timezones", because real traffic doesnt have that)

Then ... Marty's first flaw is assuming he know the hacker profile ... never trust that, and go in the 1st place for "nah ... he'll never do it ....too many resorces needed for it" ... we may know some profiles, but my point is HOW BAD this guy wants me?
Personaly and usually, i have some fun when people starts to design hacker profiles ... because it can the the start of "being social" ...
For example ... am I an hacker? :P~ 
In fact, since someone else brought it up (eheheh), i had give my little contribution on this to CSI ... but, i put the question again (if he's listening ... its for you Mr. Richard eheh) ... am I an hacker? :p~

About the level of paranoia ... thats exactly my point, because i allways assume that the attacker's paranoia is bigger then my own ;)
Thats why i must assume that i never know, before being actually attacked (if i can see it of course ...), how and attacker will attack, so, by Marty's rules i'll never be able to have a good honeypot :/ must start the defenition of "nerdspot" or "nutspot" eheh

About the "slow roll scans" ... thats what i was asking, when i ask about delays ... and now i add, the chance for each scan on each port being made everytime from diferent sources... (and the paranoia starts ...?)

Rules Number One is cool =) ... just add, everything is suspicious eheh and that bring me some annoy too, because IF i was an attacker, the first thing i'll search for is exactly if my target likes honey =)

My first rule in hackers profile: what are you most afraid of? thats where the attack will be ... "ooohhhh i have lots of honey!!" ... "good, i got lots of bees" eheh

About movies i like more Matrix ... what is true after all? we, the honey, or the bees? =)
Alternative lecture ... http://www.kimsoft.com/polwar.htm (Sun Tzu on the art of War ... this have 2400 years, so, wasnt an hacker who wrote it ... but ... who did the translation? its trustable? eheh)

About sandboxes i agree with Marty, and i choose option d) all of the above and e) a little more then that
And what he explains after, is even better, because my fear is not about known exploits, but 0days ... and is just what he says ... if i try a known xploit one time, and 2nd or 3rd the xploits does work any more ... i go for my \anti-xploit\0day\today and see if i must create a new tool (remember one of my firsts fears ... how bad this guy want my box?)

I hope i get lots of flames with this mail ... good for my profiles knowledge base eheh

Kind Regards,
Fernando Martins

This archive was generated by hypermail 2.0b3 on Thu Aug 26 1999 - 19:06:01 CDT