HONEYPOT - Honeypot Traffic

Method description

This method is inspired by so-called honeypots (network traps). This relates to computers where no incoming traffic is expected. All such traffic can, therefore, be considered an anomaly. The detection method works similarly. The IP addresses representing honeypots are defined as filters and if there is any access to these IP addresses, the event is generated.

This method consists of the following submethod:

• General: Reports communication with a device that is intentionally publicly available as a target of attacks for potential intruders.

Method configuration

It is recommended to apply this method network-wide for all traffic on the network except for the IP addresses from which we expect access to the honeypots (for example, because of configuration). It is necessary to set up the name of the filter that defines honeypots for proper functioning. The right place for traffic monitoring is the Internet connection line or the central switch.

Method parameters

• IgnoreAccessFrom: The name of the filter that defines the IP addresses that are allowed to communicate with the honeypots (for example, because of management).

• HoneypotFilter: The name of the filter that defines the IP addresses of the network traps that should not be requested by any device (apart from the IP addresses defined by the IgnoreAccessFrom parameter).

Assigned filter

The filter is used for restricting source IP addresses.

Interpretation of results

This method alerts to unauthorized access on the chosen computers in the network. It could mean horizontal scanning or an attempt to perform a network-wide attack.