RE: Honeynet using a Netscreen?

["Dell, Jeffrey" <JDell () seisint com>]

In version 4.01r1 of the Netscreen firmware there are some new features that
are nice for honeynets..

1. Source-Based Session Limiting - limit the number of sessions from any one
server. Ex: you can set it so a server can only initiate 1 session per
second
2. Destination-Based Session Limiting - limit the number of outbound
sessions per second
3. Alert but don't drop rule - This is good to be notified of an attack, but
let it still through
4. It also has a slew of other filtering options for inbound out outbound
traffic.

You also might want to check out snortsam at http://www.snortsam.net/ it
works with Netscreen firewalls as well. Snortsam automates the blocking of
IP addresses based on Snort rules.

Enjoy!
Jeff

-----Original Message-----
From: Compton, Rich [mailto:RCompton () chartercom com] 
Sent: Monday, December 16, 2002 10:44 AM
To: honeypots () securityfocus com
Subject: Honeynet using a Netscreen?


Has anyone ever created a honeynet using a Netscreen firewall?  I'd like to
be able to limit the number of from the honeypot out to the internet and I
was wondering if someone has come up with such a config.  I know that the
throughput can be limited using a Netscreen but I haven't ever seen a config
that will prevent access after a few sessions.

Thanks in advance,
Richard Compton