Snort mailing list archives
Re: VERY simple 'virtual' honeypot
From: Dug Song <dugsong () monkey org>
Date: Fri, 8 Mar 2002 11:48:14 -0500
On Fri, Mar 08, 2002 at 08:19:11AM -0500, Ron Gula wrote:
Dragon Sensor can use this info to look for traffic to non-existant hosts, and traffic to non-existant services on active hosts. Besides being a good honeypot, it is also an excellent trickle scan detection engine. Scalability is roughyly at the DMZ/class-c level.
at Arbor Networks, we've been doing this kind of blackhole monitoring as well, but on an unused, globally-announced class A network: http://research.arbor.net/up_media/up_files/snapshot_worm_activity.pdf monitoring an entire /8, you see lots of interesting things, including: - constant worm infection attempts (see the paper above) - backscatter from victims of source-spoofed DDoS attacks - widespread host scans for the vulnerability du jour (FTP, dtspcd, SSH, etc. - you name it, we see it) - random Internet flotsam and jetsam i have yet to figure out (!) if there's enough interest, we might release the software we've written to capture, reassemble, and characterize this traffic (tentatively called "MasterBaiter" :-) if our marketing folks don't kill me first... -d. --- http://www.monkey.org/~dugsong/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- RE: VERY simple 'virtual' honeypot, (continued)
- RE: VERY simple 'virtual' honeypot Earthlink (Mar 09)
- RE: VERY simple 'virtual' honeypot Alex Collins (Mar 08)
- RE: VERY simple 'virtual' honeypot Michael Clark (Mar 08)
- Re: RE: VERY simple 'virtual' honeypot Ashley Thomas (Mar 08)
- Re: RE: VERY simple 'virtual' honeypot Ryan Russell (Mar 08)
- Re: RE: VERY simple 'virtual' honeypot Ashley Thomas (Mar 08)
- RE: VERY simple 'virtual' honeypot Sawyer, John H. (Mar 08)
- Re: RE: VERY simple 'virtual' honeypot Frank Knobbe (Mar 08)
- Re: VERY simple 'virtual' honeypot Marcus J. Ranum (Mar 08)
- Re: VERY simple 'virtual' honeypot Rob Thomas (Mar 08)
- Re: VERY simple 'virtual' honeypot Dug Song (Mar 08)
- RE: VERY simple 'virtual' honeypot Williams Jon (Mar 08)
- Re: RE: VERY simple 'virtual' honeypot Davis Ray Sickmon, Jr (Mar 08)
- re: VERY simple 'virtual' honeypot Wynn Fenwick (Mar 09)