IDS vs Honeypot

[UselessGuy]

I want to setup IDS on my small LAN network just for testing purpose. I am having doubt about an IDS as is it a part of Honeypot or not? MY machine is running Windows XP operating system. Actually I am looking forward to detect port scanning, ping request and ARP posining. I guess SNORT would be the best one but seems to be hard for configuring it. Can anybody tell me first difference between the hobeypot and IDS and what should I use to make configuring it easy?

[Paisley007]

A honeypot is a trap that is used to identify, prevent and, to some extent, neutralize the attempts to hijack systems and information networks. It usually consists of a single computer or a network site that masquerades as a normal computer or network. It can also be transformed to resemble a used IP address , a file or folder. He tries hackers claiming to contain data that cybercriminals often find important. He can fool the hacker into thinking it is an open proxy. A honeypot is usually used as a surveillance system and an early warning mechanism. Since a honeypot is to watch a part of a system that hackers do not use it does not need other elements such as a filter or a spam recognition capability to determine if the incoming traffic is malicious. However, the judicious use of honeypots is they need to actually put a system at risk, hackers can use them as doors (known as backdoors) to a system.

[HiSpeed]

Researchers have created a proof of concept showing an effectiveness of automated attacks that use social engineering to trick users of instant messaging services such as IRC. For this attack uses a HoneyBot Man In The Middle which allows him to spy and guide the conversations of victims he himself has put into relationship by initiating individual respective dialogues. If the recipients respond, it will transfer these responses between different users contacted all the victims, so they continue to feed all these conversations. Threads passing through it, HoneyBot can also change the term to refer victims to topics conducive to the collection and disclosure of sensitive information. Instead of using artificial intelligence to his answers, he favors a role here as a bridge between its victims.

[Pabloa]

The messages received on a bi-directional by the latter are also identified as coming from the pseudonym HoneyBot, although issued by another participant in the conversation "spoofed". It is capable of initiating and guiding the dialogue in several different languages, namely English, French and Italian. HoneyBot can also insert links to malicious implementation of phishing attacks or distribution of malicious programs. The purpose of the device is to educate Internet users about the threats posed by such devices. The tests showed that sixty-six per cent of the attacks lead to a fraudulent click. Wishing to demonstrate their feasibility as much as their large-scale efficacy, the researchers admit, however, be themselves surprised by the success of this attack and click rates. The next step will also bring HoneyBot on courier social networks.

[Sabastiaan]

I guess OSSIM would be perfect tool for you to use. An OSSIM is an Open Source providing an infrastructure for real-time monitoring of security (intrusion detection and statistical analysis).

• Provide a centralized platform
• Provide console organization
• Improving detection and display of security alarms

The architecture consists of OSSIM is a centralized server on which agents can connect to it.

[BiGMaCHiNe]

Applications Ossim-agent (agent OSSIM) and Ossim-server (OSSIM server) have the following characteristics:

1. OSSIM-Agent hosts various plugins (sensor network, sensor network statistics, etc. ..). The agent then retrieves the information from log files plugins and sends them directly to the OSSIM server allowing real time processing of information. The agent Ossim deal also starting and stopping the different probes (plugins) it hosts. It will thus not necessary to start the plugins agents in hand since their activation will be done from the management console provided by Ossim-server.
2. OSSIM-server is the core of the architecture. Indeed, it contains modules for analysis and correlation of data and a Web server allowing interaction with the user (network administrator in charge of security).