Snort mailing list archives

Previous By Date Next
Previous By Thread Next

RE: VERY simple 'virtual' honeypot

From: Michael Clark <mike () honeynet org>
Date: Fri, 8 Mar 2002 13:10:02 -0600 (CST)
This leads me to an idea I had a bit ago.  How to capture everything even
when you do not have something listening on the port.  You could run
netcat,  but you can only really listen on so many ports.  So you could
modify Hogwash (or another gateway device)  to pickup RST's coming from
your internal network and craft ACK packets and such.  You can then do
some crude NAT to direct all the packets to some other machine/port that
has a listener.  So this way if you get a TCP connection on 12348 and its
not open on the honeypot, you can fool the connection into thinking it is
and maybe get some data.

Now This is all just ideas and might not even be possible :)

Mike


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: