• RSS
  • Twitter
  • FaceBook

Security Forums

Log in

FAQ | Search | Usergroups | Profile | Register | RSS | Posting Guidelines | Recent Posts

IDS vs. Honeypot

Users browsing this topic:0 Security Fans, 0 Stealth Security Fans
Registered Security Fans: None
Post new topic   Reply to topic   Printer-friendly version    Networking/Security Forums Index -> Firewalls // Intrusion Detection - External Security

View previous topic :: View next topic  
Author Message
marjetica
Just Arrived
Just Arrived


Joined: 27 Mar 2010
Posts: 0


Offline

PostPosted: Wed Jul 14, 2010 7:51 am    Post subject: IDS vs. Honeypot Reply with quote

Hello.

I would like to set-up IDS on my small LAN for testing purpose. If I understood correctly, than honeypoty is part of IDS?

I would like to detect port scanning, ping request and ARP posining. I'm looking for software which will run on Windows XP. Maybe SNORT as NIDS would be the best but it is hard to configure.

I would like to start with HoneyBOT or OSSEC. What would you suggest me, which one is better or more appropriate for my goals?

Thanks
Back to top
View user's profile Send private message
Mr.Sachin
Just Arrived
Just Arrived


Joined: 15 Jul 2010
Posts: 0


Offline

PostPosted: Thu Jul 15, 2010 9:36 am    Post subject: Network Management Solution Reply with quote

Hi,

Try OSSIM, its a gr8 tool... perfect for your needs.

infact it includes more featues than u want like Port scan, Nessus, Ntop, Inventory Management etc.,


Sachin
Back to top
View user's profile Send private message
marjetica
Just Arrived
Just Arrived


Joined: 27 Mar 2010
Posts: 0


Offline

PostPosted: Fri Jul 16, 2010 7:22 pm    Post subject: Reply with quote

UPDATE: I noticed that I replace OSSEC with your proposal for OSSIM. I didn't look for OSSIM for now. I will look for OSSIM.


Today I wanted to set it up, but then I noticed that I need another host on my LAN, with Unix system to be a OSSEC server. Maybe I will prepared one old box and equipped it with Ubuntu. Then I could set up all in one (server, agent).

My question here is, do I have to install OSSEC agent on my own box, which I use for everyday work, or could I have OSSEC agent at independent computer, which function will be only to run OSSEC HIDS?

Thank you.
Back to top
View user's profile Send private message
clonmac
Just Arrived
Just Arrived


Joined: 09 Mar 2009
Posts: 0


Offline

PostPosted: Fri Aug 06, 2010 9:34 pm    Post subject: Reply with quote

Honeypots and IDS are two different concepts on completely different ends of the spectrum.

Honeypots are non-production systems. They're based on the idea that a non-production system has no traffic going to it, so any traffic that is going to it, can be considered malicious. So if all you have on your network is production computers, then you will need an additional system setup to be used as a honeypot. Think of a honeypot as setting a trap to lure attackers to. The nice thing about honeypots is that they can catch attacks that wouldn't be detected by your typical signature based IDS system. The downside is that the attacker has to fall for the trap and infiltrate the honeypot in order for you to be alerted of such a breach.

IDS systems (whether HIDS or NIDS) are based on the opposite concept. They sift through all the legitimate data you have in order to find signatures or anomalies in network traffic, system memory, logs, etc and determine whether or not to flag it as malicious.

A good security policy to have would be to incorporate many layers into your security design. There are types of attacks that both will catch that the other will miss. The idea is to have multiple layers so that you can cover as many attack vectors as possible.

As far as a honeypot goes, check out the Honeywall CDROM. It is a great option that is really easy to install and will get you up and running with a honeypot/net on your network in no time.

As far as HIDS goes, OSSEC that you mention earlier is a good free open source option. You install the management server on a linux box and the from there you can install agents on any hosts that you want to protect and monitor.
Back to top
View user's profile Send private message Visit poster's website
abrahamj
Just Arrived
Just Arrived


Joined: 28 Feb 2010
Posts: 0


Offline

PostPosted: Mon Sep 20, 2010 10:05 am    Post subject: Re:IDS vs. Honeypot Reply with quote

You try the Ax3soft Sax2, Sax2 is a professional network intrusion detection (IDS) and intrusion prevention system (IPS) to detect variety of attacks, including SQL inject attacks, worms, backdoor Trojans, ARP spoof, CGI/WWW attacks, DoS/DDoS, password guessing and so on, visit http://www.Ids-sax2.com and download sax2 to help you. You may also refer to this article "Quick Locate ARP Spoofing Attack Source (http://www.ids-sax2.com/articles/QuickLocateARPAttackSource.htm)" ,
Back to top
View user's profile Send private message Send e-mail
Display posts from previous:   

Post new topic   Reply to topic   Printer-friendly version    Networking/Security Forums Index -> Firewalls // Intrusion Detection - External Security All times are GMT + 2 Hours
Page 1 of 1


 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum

Community Area

Log in | Register