Re: attack redirection

[Daniel Cid <daniel () logictree com>]

You can use SNORT+Guardian to redirect the traffic to your honeypot.
You only need to add in the "guardian_block" script a rule to
redirect the traffic (using iptables, ipf, pf , whatever)

[]`s

Daniel B. Cid
daniel () underlinux com br

On Sat, 2003-05-17 at 13:36, Andy Cuff [talisker] wrote:
> Hi Andrew
> What I suspect you are looking for is "bait n switch" check out
> http://violating.us/projects/baitnswitch/
> <snip>
> The Bait and Switch Honeypot is a multifaceted attempt to take honeypots out
> of the shadows of the network security model and to make them an active
> participant in system defense. To do this, we are creating a system that
> reacts to hostile intrusion attempts by redirecting all hostile traffic to a
> honeypot that is partially mirroring your production system.  Once switched,
> the would-be hacker is unknowingly attacking your honeypot instead of the
> real data and your clients and/or users still safely accessing the real
> system. Life goes on, your data is safe, and you are learning about the bad
> guy as an added benefit. The system is based on snort, linux's iproute2,
> netfilter, and custom code for now. We plan on adding additional support in
> the future if possible.
> </snip>
> Lance Spitzner got quite excited about this at CanSecWest, but then again I
> have never seen Lance (The HoneyAmbassador) not excited ;o)  Sadly his
> presentation isn't up on the CanSecWest resources for download yet.
>
> My main concern about this technology is an increase in latency after the
> traffic is switched, not so much of a problem where the honeypot is local
> but potentially noticeable where a managed service honeypot is being used.
>
> hope this helps
> take care
> -andy
>
> Taliskers Network Security Tools
> http://www.networkintrusion.co.uk
> ----- Original Message ----- 
> From: "Andrew Elmore" <andrew.elmore () cyber-south com>
> To: <security-basics () securityfocus com>
> Sent: Friday, May 16, 2003 3:38 PM
> Subject: attack redirection
>
>
> Hey guys,
>        I'm looking for some program to redirect an attack on my web server
> to a honeypot. Maybe triggered by number of hits in a given time or by
> certain requests. Does such a thing exist? Where can I get it? Or would I
> have to write some kind of script?
> Thanks for your help.
>
> Andy
>
>
> ---------------------------------------------------------------------------
> Thinking About Security Training? You Can't Afford Not To!
>
> Vigilar's industry leading curriculum includes:  Security +, Check Point,
> Hacking & Assessment, Cisco Security, Wireless Security & more! Register
> Now!
> --UP TO 30% off classes in select cities-- 
> http://www.securityfocus.com/Vigilar-security-basics
> ----------------------------------------------------------------------------
>
>
> ---------------------------------------------------------------------------
> Thinking About Security Training? You Can't Afford Not To!
>
> Vigilar's industry leading curriculum includes:  Security +, Check Point, 
> Hacking & Assessment, Cisco Security, Wireless Security & more! Register Now!
> --UP TO 30% off classes in select cities-- 
> http://www.securityfocus.com/Vigilar-security-basics
> ----------------------------------------------------------------------------



---------------------------------------------------------------------------
Thinking About Security Training? You Can't Afford Not To!

Vigilar's industry leading curriculum includes:  Security +, Check Point, 
Hacking & Assessment, Cisco Security, Wireless Security & more! Register Now!
--UP TO 30% off classes in select cities-- 
http://www.securityfocus.com/Vigilar-security-basics
----------------------------------------------------------------------------