Snort mailing list archives
Re: VERY simple 'virtual' honeypot
From: Rob Thomas <robt () cymru com>
Date: Fri, 8 Mar 2002 10:00:40 -0600 (CST)
Hi, Marcus. ] For that matter, couldn't you _almost_ put something like that together ] using filtering rules in a router? Syslog 'em off the router and process 'em ] on a backend system. Be a bit cautious here. During a surfeit of these naughty packets, the logging activity on the router may lead to a home-brew DoS. :/ If one attempts to punt the syslog messages, or uses keywords such as "log" or "log-input", the CPU can become overwhelmed quite quickly. How this affects the stability of the router is largely dependent on the router model. However, there is another, somewhat less dangerous, way. :) If you are running NetFlow on the router, you could export the flows to a remote host. This isn't quite as painful as punting off syslog messages (again, depends on your gear) based on logging ACLs. With NetFlow you will have all of the flow information: source/dest IP, source/dest port, protocol, and number of packets. This is how I track a lot of naughty packets, without letting them ever penetrate my border. It is sufficient to determine the scan du jour and it can be run in both directions. By watching your outbound flows you can quickly determine which hosts have been compromised by the latest sploit, e.g. "why is my server farm sending out copious UDP 137 packets?" You do not have to export the flows. I run NetFlow on several routers where exporting the flows just isn't reasonable (for myriad reasons). If, however, I receive a call that there is a rumpus, I can log into the router and run a sh ip cac flo to quickly determine the whats, wheres, and whys. It can be very handy during DoS attacks. See below: http://www.cymru.com/~robt/Docs/Articles/dos-and-vip.html http://www.cymru.com/~robt/Docs/Articles/tracking-spoofed.html Thanks, Rob. -- Rob Thomas http://www.cymru.com/~robt ASSERT(coffee != empty); _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- RE: VERY simple 'virtual' honeypot, (continued)
- RE: VERY simple 'virtual' honeypot Ryan Russell (Mar 09)
- RE: VERY simple 'virtual' honeypot Earthlink (Mar 09)
- RE: VERY simple 'virtual' honeypot Alex Collins (Mar 08)
- RE: VERY simple 'virtual' honeypot Michael Clark (Mar 08)
- Re: RE: VERY simple 'virtual' honeypot Ashley Thomas (Mar 08)
- Re: RE: VERY simple 'virtual' honeypot Ryan Russell (Mar 08)
- Re: RE: VERY simple 'virtual' honeypot Ashley Thomas (Mar 08)
- RE: VERY simple 'virtual' honeypot Sawyer, John H. (Mar 08)
- Re: RE: VERY simple 'virtual' honeypot Frank Knobbe (Mar 08)
- Re: VERY simple 'virtual' honeypot Marcus J. Ranum (Mar 08)
- Re: VERY simple 'virtual' honeypot Rob Thomas (Mar 08)
- Re: VERY simple 'virtual' honeypot Dug Song (Mar 08)
- RE: VERY simple 'virtual' honeypot Williams Jon (Mar 08)
- Re: RE: VERY simple 'virtual' honeypot Davis Ray Sickmon, Jr (Mar 08)
- re: VERY simple 'virtual' honeypot Wynn Fenwick (Mar 09)