Page 2 of 2 FirstFirst 12
Results 11 to 16 of 16

Thread: IDS & Honeypot - Differences?

  1. #11
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,885
    Quote Originally Posted by jockey0109
    Well can someone tell the answer to my question? (some posts above)?
    The answer is, it depends. Requirements drive where, when, how and why you deploy a honeypot. They are not "typically" setup in DMZs or anywhere else. They are setup all over the place for different reasons. There is no such thing as a "normal" honeypot config.

    For more information than you'll ever want or need on the topic, go here:
    http://www.honeynet.org/

    --TH13
    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

  2. #12
    Senior Member
    Join Date
    Aug 2006
    Location
    India
    Posts
    289
    Thanks TH13. I have already visited the site you have mentioned. It was not too clear and that is why I am asking it here. Anyway thanks alot for the answer and clarification.
    "Everything should be made as simple as possible, but not simpler."

    - Albert Einstein

  3. #13
    Junior Member
    Join Date
    Mar 2004
    Posts
    8
    This site may help you out some jockey.

    http://www.sans.org/reading_room/whi...udies/1465.php
    \"Don\'t be quick to judge, you may not know the hardships people don\'t speak of...\"

  4. #14
    Senior Member PacketThirst's Avatar
    Join Date
    Aug 2004
    Posts
    258
    Honeypots are research tools, IDS devices are alerting tools.
    thehorse: Honeypots can be very good at alerting too. I consider them better than IDS because they hardly generate any false positives or false negatives. To put in simple words, IDSs bitch while Honeypots don't. To prove my point, think of a box running a fake service. An attacker will surely SYN the service in the initial scanning phase causing an alert. A clever attacker can mess with the IDS
    in many ways to mask his activity. Its really not what honeypots are traditionally made to do; but who the hell gives a sh*t about traditions these days.

    This is inaccurate. A passive device such as an IDS is an alerting tool, not a defense mechanism. It alerts you *after* an event has happened, it does not defend against the actual event.
    well Pfleeger (Pearson - Security In Computing) classifies IDSs into two - passive and reactive. The reactive one is called IPS. But, isn't it an IDS anyway ?
    Last edited by PacketThirst; April 29th, 2007 at 03:31 AM.

  5. #15
    Member d34dl0k1's Avatar
    Join Date
    Mar 2007
    Posts
    58
    Honeypots are IDSs, IDSs are not Honeypots. Honeypots are a subset of IDSs if treated as such.

  6. #16
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,885
    Honeypots can be very good at alerting too. I consider them better than IDS because they hardly generate any false positives or false negatives.
    Honeypots, perhaps do not provide many false pos/negs but they are much more limited in scope than an IDS. They catch very specific types of events while IDS devices capture most, if not, all varieties.

    Reactive IDS devices (IPS) or whatever name you slap to them are intended to be defense mechanisms. The problem is that I have yet to see someone deploy an IPS solution with great success. No one wants to impact the business adversly with a bad IPS rule so most are configured so lightly they barely make a difference.

    Another 2 cents...

    --TH13
    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

Similar Threads

  1. Custom Web Based Honeypots with GHH
    By Soda_Popinsky in forum The Security Tutorials Forum
    Replies: 1
    Last Post: November 12th, 2008, 10:42 PM
  2. SMTP Relay Honeypot Tutorial
    By Soda_Popinsky in forum The Security Tutorials Forum
    Replies: 18
    Last Post: December 6th, 2005, 10:18 AM
  3. A General Honeypot Tutorial
    By alphabetarian in forum The Security Tutorials Forum
    Replies: 8
    Last Post: December 5th, 2005, 04:44 AM
  4. Advanced Web Based Honeypot Techniques
    By Soda_Popinsky in forum The Security Tutorials Forum
    Replies: 7
    Last Post: August 2nd, 2005, 04:39 PM
  5. Watching Hacker Attack Using Honeypot
    By sweet_angel in forum Firewall & Honeypot Discussions
    Replies: 9
    Last Post: January 23rd, 2003, 10:30 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •