Snort mailing list archives

Re: VERY simple 'virtual' honeypot

From: James Hoagland <hoagland () SiliconDefense com>
Date: Fri, 8 Mar 2002 08:55:31 -0800

At 10:34 PM -0600 3/7/02, Lance Spitzner wrote:

Most honeypots work on the same concept, a system that has no
production activity.  You deploy a box that has no production
value, any packets going to that box indicate a probe, scan, or
attack.  This helps reduce both false positives and false
negatives.  Exampls of such honeypots include BackOfficer Friendly,
DTK, ManTrap, Specter, and Honeynets.

However, I was just thinking, why bother deploying the box?
Why not create a list of Snort rules that generate an alert
whenever a TCP/SYN packet or UDP packet is sent to an IP
address that has no system?  This could incidate a probe,
scan or attack, the same principles of a honeypot, but
without deploying an actual system.

Of course this does not give you the Data Capture capabilites
of a honeypot, as there is no system for the attacker to
interact with.  However, this could be used to help detect
scanning or probing activity.

Thoughts?


Hello Lance,

This is basically what Spade does. In addition it catches to unusedor rarely used ports on valid IPs. Basically how it operates is thatit keeps a summary record of packets (by default the dest IP and destport combo) it has seen. From that it can assign an anomaly scorebased on the unusualness of a new packet. For more details, youmight be interested in reading our "Practical Automated Detection ofStealthy Portscans" paper on Silicon Defense's web site:


  http://www.silicondefense.com/research/pubs.htm

Stuart wrote a pretty good section (IMHO) in this about stealthyportscans, scan footprints, etc. You can also read how we got Spadeto be as fast as it is. (Running Snort Spade-only on our localoffice's server processed a file of 1.25 million SYN packets in alittle over a minute. YMMV of course.)


Best regards,

  Jim


--
|*      Jim Hoagland, Associate Researcher, Silicon Defense      *|
|*            --- Silicon Defense: IDS Solutions ---             *|
|*  hoagland () SiliconDefense com, http://www.silicondefense.com/  *|
|*   Voice: (530) 756-7317                 Fax: (530) 756-7297   *|

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Re: VERY simple 'virtual' honeypot, (continued)
- Re: VERY simple 'virtual' honeypot Ian O'Brien (Mar 07)
- Re: VERY simple 'virtual' honeypot Glenn Forbes Fleming Larratt (Mar 07)
- Re: VERY simple 'virtual' honeypot Jim Forster (Mar 07)
- Re: VERY simple 'virtual' honeypot John Kinsella (Mar 07)
- Re: VERY simple 'virtual' honeypot Gideon Lenkey (Mar 08)
  - Re: VERY simple 'virtual' honeypot Kerberus (Mar 08)
- RE: VERY simple 'virtual' honeypot Rick Francis (Mar 08)
- Re: VERY simple 'virtual' honeypot Edward Balas (Mar 08)
- Re: VERY simple 'virtual' honeypot Frank Knobbe (Mar 08)
- Re: VERY simple 'virtual' honeypot Frank Knobbe (Mar 08)
- Re: VERY simple 'virtual' honeypot James Hoagland (Mar 08)
- Re: VERY simple 'virtual' honeypot George Bakos (Mar 08)
- Re: VERY simple 'virtual' honeypot Martin Roesch (Mar 08)
  - Re: VERY simple 'virtual' honeypot Jason Robertson (Mar 09)
- RE: VERY simple 'virtual' honeypot Ofir Arkin (Mar 09)
  - Re: VERY simple 'virtual' honeypot Fyodor (Mar 09)
  - RE: VERY simple 'virtual' honeypot Dan Hollis (Mar 09)
  - RE: VERY simple 'virtual' honeypot Ryan Russell (Mar 09)
    - RE: VERY simple 'virtual' honeypot Ofir Arkin (Mar 09)
    - RE: VERY simple 'virtual' honeypot Ryan Russell (Mar 09)
    - RE: VERY simple 'virtual' honeypot Earthlink (Mar 09)

(Thread continues...)