Snort mailing list archives
Re: VERY simple 'virtual' honeypot
From: James Hoagland <hoagland () SiliconDefense com>
Date: Fri, 8 Mar 2002 08:55:31 -0800
At 10:34 PM -0600 3/7/02, Lance Spitzner wrote:
Most honeypots work on the same concept, a system that has no production activity. You deploy a box that has no production value, any packets going to that box indicate a probe, scan, or attack. This helps reduce both false positives and false negatives. Exampls of such honeypots include BackOfficer Friendly, DTK, ManTrap, Specter, and Honeynets. However, I was just thinking, why bother deploying the box? Why not create a list of Snort rules that generate an alert whenever a TCP/SYN packet or UDP packet is sent to an IP address that has no system? This could incidate a probe, scan or attack, the same principles of a honeypot, but without deploying an actual system. Of course this does not give you the Data Capture capabilites of a honeypot, as there is no system for the attacker to interact with. However, this could be used to help detect scanning or probing activity. Thoughts?
Hello Lance,This is basically what Spade does. In addition it catches to unused or rarely used ports on valid IPs. Basically how it operates is that it keeps a summary record of packets (by default the dest IP and dest port combo) it has seen. From that it can assign an anomaly score based on the unusualness of a new packet. For more details, you might be interested in reading our "Practical Automated Detection of Stealthy Portscans" paper on Silicon Defense's web site:
http://www.silicondefense.com/research/pubs.htmStuart wrote a pretty good section (IMHO) in this about stealthy portscans, scan footprints, etc. You can also read how we got Spade to be as fast as it is. (Running Snort Spade-only on our local office's server processed a file of 1.25 million SYN packets in a little over a minute. YMMV of course.)
Best regards, Jim -- |* Jim Hoagland, Associate Researcher, Silicon Defense *| |* --- Silicon Defense: IDS Solutions --- *| |* hoagland () SiliconDefense com, http://www.silicondefense.com/ *| |* Voice: (530) 756-7317 Fax: (530) 756-7297 *| _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Re: VERY simple 'virtual' honeypot, (continued)
- Re: VERY simple 'virtual' honeypot Ian O'Brien (Mar 07)
- Re: VERY simple 'virtual' honeypot Glenn Forbes Fleming Larratt (Mar 07)
- Re: VERY simple 'virtual' honeypot Jim Forster (Mar 07)
- Re: VERY simple 'virtual' honeypot John Kinsella (Mar 07)
- Re: VERY simple 'virtual' honeypot Gideon Lenkey (Mar 08)
- Re: VERY simple 'virtual' honeypot Kerberus (Mar 08)
- RE: VERY simple 'virtual' honeypot Rick Francis (Mar 08)
- Re: VERY simple 'virtual' honeypot Edward Balas (Mar 08)
- Re: VERY simple 'virtual' honeypot Frank Knobbe (Mar 08)
- Re: VERY simple 'virtual' honeypot Frank Knobbe (Mar 08)
- Re: VERY simple 'virtual' honeypot James Hoagland (Mar 08)
- Re: VERY simple 'virtual' honeypot George Bakos (Mar 08)
- Re: VERY simple 'virtual' honeypot Martin Roesch (Mar 08)
- Re: VERY simple 'virtual' honeypot Jason Robertson (Mar 09)
- RE: VERY simple 'virtual' honeypot Ofir Arkin (Mar 09)
- Re: VERY simple 'virtual' honeypot Fyodor (Mar 09)
- RE: VERY simple 'virtual' honeypot Dan Hollis (Mar 09)
- RE: VERY simple 'virtual' honeypot Ryan Russell (Mar 09)
- RE: VERY simple 'virtual' honeypot Ofir Arkin (Mar 09)
- RE: VERY simple 'virtual' honeypot Ryan Russell (Mar 09)
- RE: VERY simple 'virtual' honeypot Earthlink (Mar 09)