Snort mailing list archives
RE: VERY simple 'virtual' honeypot
From: "Sawyer, John H." <JSawyer () mail ifas ufl edu>
Date: Fri, 8 Mar 2002 09:16:51 -0500
What about incorporating LaBrea? http://www.hackbusters.net/LaBrea/ <SNIP> LaBrea is a program that creates a tarpit or, as some have called it, a "sticky honeypot". LaBrea takes over unused IP addresses on a network and creates "virtual machines" that answer to connection attempts. LaBrea answers those connection attempts in a way that causes the machine at the other end to get "stuck", sometimes for a very long time. </SNIP> It currently creates a "tarpit" to trap scans to IP's that aren't currently being used. Maybe someone could come up with it a way make Snort and LaBrea work together. Snort could handle all packet captures while LaBrea provides IP's for the attacker to get tangled. -jhs ------------------------------------------------ John H. Sawyer University of Florida jsawyer () ufl edu <> > Most honeypots work on the same concept, a system that has no <> > production activity. You deploy a box that has no production <> > value, any packets going to that box indicate a probe, scan, or <> > attack. This helps reduce both false positives and false <> > negatives. Exampls of such honeypots include BackOfficer Friendly, <> > DTK, ManTrap, Specter, and Honeynets. <> > <> > However, I was just thinking, why bother deploying the box? <> > Why not create a list of Snort rules that generate an alert <> > whenever a TCP/SYN packet or UDP packet is sent to an IP <> > address that has no system? This could incidate a probe, <> > scan or attack, the same principles of a honeypot, but <> > without deploying an actual system. <> > <> <> Better yet have snort spoof a reply (i.e. pretend that a <> valid port is <> there). Then the attacker comes back later for more giving you more <> information and wasting more of their time. Then you get a <> bit of the best <> of both worlds. I'm sure snort, portsentry or something <> similar could easily <> be hacked up to do it. Alternative use port redirects on <> Linux/OpenBSD to <> redirect stuff for unused networks to a "legit" server that <> will reply with <> basic stuff. <> <> > Thoughts? <> > <> > -- <> > Lance Spitzner <> > http://project.honeynet.org <> <> <> <> Kurt Seifried, kurt () seifried org <> A15B BEE5 B391 B9AD B0EF <> AEB0 AD63 0B4E AD56 E574 <> http://seifried.org/security/ <> http://www.idefense.com/digest.html <> <> _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- RE: VERY simple 'virtual' honeypot, (continued)
- RE: VERY simple 'virtual' honeypot Dan Hollis (Mar 09)
- RE: VERY simple 'virtual' honeypot Ryan Russell (Mar 09)
- RE: VERY simple 'virtual' honeypot Ofir Arkin (Mar 09)
- RE: VERY simple 'virtual' honeypot Ryan Russell (Mar 09)
- RE: VERY simple 'virtual' honeypot Earthlink (Mar 09)
- RE: VERY simple 'virtual' honeypot Alex Collins (Mar 08)
- RE: VERY simple 'virtual' honeypot Michael Clark (Mar 08)
- Re: RE: VERY simple 'virtual' honeypot Ashley Thomas (Mar 08)
- Re: RE: VERY simple 'virtual' honeypot Ryan Russell (Mar 08)
- Re: RE: VERY simple 'virtual' honeypot Ashley Thomas (Mar 08)
- Re: RE: VERY simple 'virtual' honeypot Frank Knobbe (Mar 08)
- Re: VERY simple 'virtual' honeypot Rob Thomas (Mar 08)