IDS vs. Honeypot

Networking/Security Forums -> Firewalls // Intrusion Detection - External Security

Author: marjetica PostPosted: Wed Jul 14, 2010 7:51 am    Post subject: IDS vs. Honeypot

I would like to set-up IDS on my small LAN for testing purpose. If I understood correctly, than honeypoty is part of IDS?

I would like to detect port scanning, ping request and ARP posining. I'm looking for software which will run on Windows XP. Maybe SNORT as NIDS would be the best but it is hard to configure.

I would like to start with HoneyBOT or OSSEC. What would you suggest me, which one is better or more appropriate for my goals?


Author: Mr.Sachin PostPosted: Thu Jul 15, 2010 9:36 am    Post subject: Network Management Solution

Try OSSIM, its a gr8 tool... perfect for your needs.

infact it includes more featues than u want like Port scan, Nessus, Ntop, Inventory Management etc.,


Author: marjetica PostPosted: Fri Jul 16, 2010 7:22 pm    Post subject:
UPDATE: I noticed that I replace OSSEC with your proposal for OSSIM. I didn't look for OSSIM for now. I will look for OSSIM.

Today I wanted to set it up, but then I noticed that I need another host on my LAN, with Unix system to be a OSSEC server. Maybe I will prepared one old box and equipped it with Ubuntu. Then I could set up all in one (server, agent).

My question here is, do I have to install OSSEC agent on my own box, which I use for everyday work, or could I have OSSEC agent at independent computer, which function will be only to run OSSEC HIDS?

Thank you.

Author: clonmac PostPosted: Fri Aug 06, 2010 9:34 pm    Post subject:
Honeypots and IDS are two different concepts on completely different ends of the spectrum.

Honeypots are non-production systems. They're based on the idea that a non-production system has no traffic going to it, so any traffic that is going to it, can be considered malicious. So if all you have on your network is production computers, then you will need an additional system setup to be used as a honeypot. Think of a honeypot as setting a trap to lure attackers to. The nice thing about honeypots is that they can catch attacks that wouldn't be detected by your typical signature based IDS system. The downside is that the attacker has to fall for the trap and infiltrate the honeypot in order for you to be alerted of such a breach.

IDS systems (whether HIDS or NIDS) are based on the opposite concept. They sift through all the legitimate data you have in order to find signatures or anomalies in network traffic, system memory, logs, etc and determine whether or not to flag it as malicious.

A good security policy to have would be to incorporate many layers into your security design. There are types of attacks that both will catch that the other will miss. The idea is to have multiple layers so that you can cover as many attack vectors as possible.

As far as a honeypot goes, check out the Honeywall CDROM. It is a great option that is really easy to install and will get you up and running with a honeypot/net on your network in no time.

As far as HIDS goes, OSSEC that you mention earlier is a good free open source option. You install the management server on a linux box and the from there you can install agents on any hosts that you want to protect and monitor.

Author: abrahamj PostPosted: Mon Sep 20, 2010 10:05 am    Post subject: Re:IDS vs. Honeypot
You try the Ax3soft Sax2, Sax2 is a professional network intrusion detection (IDS) and intrusion prevention system (IPS) to detect variety of attacks, including SQL inject attacks, worms, backdoor Trojans, ARP spoof, CGI/WWW attacks, DoS/DDoS, password guessing and so on, visit and download sax2 to help you. You may also refer to this article "Quick Locate ARP Spoofing Attack Source (" ,

Networking/Security Forums -> Firewalls // Intrusion Detection - External Security

output generated using printer-friendly topic mod, All times are GMT + 2 Hours

Page 1 of 1

Powered by phpBB 2.0.x © 2001 phpBB Group