Snort mailing list archives
Basic honeypot setup with Snort
From: J Doe <general () nativemethods com>
Date: Fri, 19 May 2017 16:41:50 -0400
Hi, I currently have a host that I would like to turn into a honeypot. As a basic, first step, I'd like to capture the initial packet of a SMB request (port 445). As it stands right now, my firewall blocks that port and the honeypot is neither Windows or *nix with samba running. I am aware that I need to open port 445 so the three way handshake can take place and then the attacking machine will send the first SMB packet which can then be analyzed by Snort, but I'm wondering what software I can run to simply allow the first packet to be received. I don't want to run samba as I don't actually want to receive random files and I don't currently have the time to code a listening service that leverages the samba library. What do other security practitioners do to make the port available for an initial packet ? Is it customary to run something like netcat on that port ? If so, can anyone recommend best practices for hardening the configuration of that software (ie: run netcat in a Docker container, etc.). For reference, the honeypot will use Ubuntu 16.04 LTS, firewall via iptables and Snort version 2.9.9.0. Thanks for your help, - J ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Basic honeypot setup with Snort J Doe (May 19)