Snort mailing list archives

RE: VERY simple 'virtual' honeypot

From: "Sawyer, John H." <JSawyer () mail ifas ufl edu>
Date: Fri, 8 Mar 2002 09:16:51 -0500

What about incorporating LaBrea?  http://www.hackbusters.net/LaBrea/

<SNIP>
LaBrea is a program that creates a tarpit or, as some have called it, a
"sticky honeypot". LaBrea takes over unused IP addresses on a network and
creates "virtual machines" that answer to connection attempts. LaBrea
answers those connection attempts in a way that causes the machine at the
other end to get "stuck", sometimes for a very long time.
</SNIP>

It currently creates a "tarpit" to trap scans to IP's that aren't currently
being used.  Maybe someone could come up with it a way make Snort and LaBrea
work together.  Snort could handle all packet captures while LaBrea provides
IP's for the attacker to get tangled.


-jhs

------------------------------------------------
John H. Sawyer
University of Florida
jsawyer () ufl edu

<> > Most honeypots work on the same concept, a system that has no
<> > production activity.  You deploy a box that has no production
<> > value, any packets going to that box indicate a probe, scan, or
<> > attack.  This helps reduce both false positives and false
<> > negatives.  Exampls of such honeypots include BackOfficer Friendly,
<> > DTK, ManTrap, Specter, and Honeynets.
<> >
<> > However, I was just thinking, why bother deploying the box?
<> > Why not create a list of Snort rules that generate an alert
<> > whenever a TCP/SYN packet or UDP packet is sent to an IP
<> > address that has no system?  This could incidate a probe,
<> > scan or attack, the same principles of a honeypot, but
<> > without deploying an actual system.
<> >
<> 
<> Better yet have snort spoof a reply (i.e. pretend that a 
<> valid port is
<> there). Then the attacker comes back later for more giving you more
<> information and wasting more of their time. Then you get a 
<> bit of the best
<> of both worlds. I'm sure snort, portsentry or something 
<> similar could easily
<> be hacked up to do it. Alternative use port redirects on 
<> Linux/OpenBSD to
<> redirect stuff for unused networks to a "legit" server that 
<> will reply with
<> basic stuff.
<> 
<> > Thoughts?
<> >
<> > --
<> > Lance Spitzner
<> > http://project.honeynet.org
<> 
<> 
<> 
<> Kurt Seifried, kurt () seifried org
<> A15B BEE5 B391 B9AD B0EF
<> AEB0 AD63 0B4E AD56 E574
<> http://seifried.org/security/
<> http://www.idefense.com/digest.html
<> 

<> 

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

RE: VERY simple 'virtual' honeypot, (continued)
- - RE: VERY simple 'virtual' honeypot Dan Hollis (Mar 09)
  - RE: VERY simple 'virtual' honeypot Ryan Russell (Mar 09)
    - RE: VERY simple 'virtual' honeypot Ofir Arkin (Mar 09)
    - RE: VERY simple 'virtual' honeypot Ryan Russell (Mar 09)
    - RE: VERY simple 'virtual' honeypot Earthlink (Mar 09)
- RE: VERY simple 'virtual' honeypot Alex Collins (Mar 08)
  - RE: VERY simple 'virtual' honeypot Michael Clark (Mar 08)
  - Re: RE: VERY simple 'virtual' honeypot Ashley Thomas (Mar 08)
    - Re: RE: VERY simple 'virtual' honeypot Ryan Russell (Mar 08)
    - Re: RE: VERY simple 'virtual' honeypot Ashley Thomas (Mar 08)
- RE: VERY simple 'virtual' honeypot Sawyer, John H. (Mar 08)
  - Re: RE: VERY simple 'virtual' honeypot Frank Knobbe (Mar 08)
- Re: VERY simple 'virtual' honeypot Marcus J. Ranum (Mar 08)
  - Re: VERY simple 'virtual' honeypot Rob Thomas (Mar 08)
- Re: VERY simple 'virtual' honeypot Dug Song (Mar 08)
- RE: VERY simple 'virtual' honeypot Williams Jon (Mar 08)
- Re: RE: VERY simple 'virtual' honeypot Davis Ray Sickmon, Jr (Mar 08)
- re: VERY simple 'virtual' honeypot Wynn Fenwick (Mar 09)