Snort mailing list archives
RE: VERY simple 'virtual' honeypot
From: "Williams Jon" <WilliamsJon () JohnDeere com>
Date: Fri, 8 Mar 2002 11:09:08 -0600
Ah. Here's a Snort performance warning. It turns out that using the [x.x.x.x/24,y.y.y.y/24] notation in snort is a real performance hog. I ran a test where I used tcpdump to capture 20 minutes of our production traffic and then had snort read in that file. When I used the [...] construct, it took 113 minutes to process all 11,999,547 packets, but when I broke out each net as follows: var HOME_NET 1.1.1.1/24 var EXTERNAL !$HOME_NET include rules.conf var HOME_NET 2.2.2.2/24 var EXTERNAL !$HOME_NET include rules.conf ... var HOME_NET x.x.x.x/24 it only took 32 minutes. Basically, it took less time to process 7797 rules in 1029 chain headers than it did to process 887 rules in 805 chain headers. Jon -----Original Message----- From: Frank Knobbe [mailto:fknobbe () knobbeits com] Sent: Friday, March 08, 2002 10:37 AM To: Lance Spitzner Cc: Snort-Users (E-mail); honeypots () securityfocus com Subject: Re: [Snort-users] VERY simple 'virtual' honeypot On Thu, 2002-03-07 at 22:34, Lance Spitzner wrote:
However, I was just thinking, why bother deploying the box? Why not create a list of Snort rules that generate an alert whenever a TCP/SYN packet or UDP packet is sent to an IP address that has no system? This could incidate a probe, scan or attack, the same principles of a honeypot, but without deploying an actual system.
Not really a long list. Here is what I use: block tcp any any -> $UNUSED any (msg:"TCP Port Scan";) block udp any any -> $UNUSED any (msg:"UDP Port Scan";) block icmp any any -> $UNUSED any (msg:"ICMP Scan";) $UNUSED includes all unused IP address, defined in snort.conf with [x.x.x.a,x.x.x.b,x.x.x.c] etc. Regards, Frank _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- RE: VERY simple 'virtual' honeypot, (continued)
- RE: VERY simple 'virtual' honeypot Alex Collins (Mar 08)
- RE: VERY simple 'virtual' honeypot Michael Clark (Mar 08)
- Re: RE: VERY simple 'virtual' honeypot Ashley Thomas (Mar 08)
- Re: RE: VERY simple 'virtual' honeypot Ryan Russell (Mar 08)
- Re: RE: VERY simple 'virtual' honeypot Ashley Thomas (Mar 08)
- RE: VERY simple 'virtual' honeypot Alex Collins (Mar 08)
- RE: VERY simple 'virtual' honeypot Sawyer, John H. (Mar 08)
- Re: RE: VERY simple 'virtual' honeypot Frank Knobbe (Mar 08)
- Re: VERY simple 'virtual' honeypot Marcus J. Ranum (Mar 08)
- Re: VERY simple 'virtual' honeypot Rob Thomas (Mar 08)
- Re: VERY simple 'virtual' honeypot Dug Song (Mar 08)
- RE: VERY simple 'virtual' honeypot Williams Jon (Mar 08)
- Re: RE: VERY simple 'virtual' honeypot Davis Ray Sickmon, Jr (Mar 08)
- re: VERY simple 'virtual' honeypot Wynn Fenwick (Mar 09)