Snort mailing list archives
Re: VERY simple 'virtual' honeypot
From: <nfudd () vsol net>
Date: Fri, 8 Mar 2002 05:03:20 -0800 (PST)
On Thu, 7 Mar 2002, Kurt Seifried wrote:
However, I was just thinking, why bother deploying the box? Why not create a list of Snort rules that generate an alert whenever a TCP/SYN packet or UDP packet is sent to an IP address that has no system? This could incidate a probe, scan or attack, the same principles of a honeypot, but without deploying an actual system.
<snip>
Better yet have snort spoof a reply (i.e. pretend that a valid port is there). Then the attacker comes back later for more giving you more information and wasting more of their time. Then you get a bit of the best of both worlds. I'm sure snort, portsentry or something similar could easily be hacked up to do it. Alternative use port redirects on Linux/OpenBSD to redirect stuff for unused networks to a "legit" server that will reply with basic stuff.
See 'Labrea' (http://www.hackbusters.net/) It does what you want. It monitors unused ip addresses, and any requests for those ip addresses generate false arp replies, followed by false tcp connection establishment, using a miniscule window size. It was developed to slow to a crawl programs like CodeRed, by slowing down connection/infection attempts to the lowest value allowed by the laws of tcp/ip. CodeRed can't move on to new ip addresses until it's finished with the first ones, and so a single Labrea can 'tarpit' a whole lot of CodeRed viruses... or any OTHER port scanner. Basically, it looks like every single port on every single unused ip address is open. If you telnet to one, your telnet will freeze; if you browse to port 80, your browser times out, etc, etc. See what you think. - _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- VERY simple 'virtual' honeypot Lance Spitzner (Mar 07)
- Re: VERY simple 'virtual' honeypot Kurt Seifried (Mar 07)
- RE: VERY simple 'virtual' honeypot Thomas Porter, Ph.D. (Mar 07)
- Re: VERY simple 'virtual' honeypot Kurt Seifried (Mar 07)
- Re: VERY simple 'virtual' honeypot David Watson (Mar 08)
- Re: VERY simple 'virtual' honeypot nfudd (Mar 08)
- RE: VERY simple 'virtual' honeypot Thomas Porter, Ph.D. (Mar 07)
- Re: VERY simple 'virtual' honeypot Brian Caswell (Mar 07)
- RE: Re: VERY simple 'virtual' honeypot Chris Grout (Mar 07)
- Re: VERY simple 'virtual' honeypot Ian O'Brien (Mar 07)
- Re: VERY simple 'virtual' honeypot Glenn Forbes Fleming Larratt (Mar 07)
- Re: VERY simple 'virtual' honeypot Jim Forster (Mar 07)
- Re: VERY simple 'virtual' honeypot John Kinsella (Mar 07)
- Re: VERY simple 'virtual' honeypot Gideon Lenkey (Mar 08)
- Re: VERY simple 'virtual' honeypot Kerberus (Mar 08)
- RE: VERY simple 'virtual' honeypot Rick Francis (Mar 08)
- Re: VERY simple 'virtual' honeypot Edward Balas (Mar 08)
(Thread continues...)
- Re: VERY simple 'virtual' honeypot Kurt Seifried (Mar 07)