Honeypots mailing list archives

RE: About Data Control

From: mike () honeynet org
Date: Fri, 17 Jan 2003 14:39:45 -0500 (EST)

Not only can snort inline be used for that, but it is also used to make it
more difficult to compromise other hosts from the honeynet.  If an
attacker launches an attack from the honeynet, snort inline will try to
drop or modify the packet.  This way we can increase the number of
connections we allow out, since them getting an exploit out is less
likely.

Mike Clark

On Fri, 17 Jan 2003, Gonzalez, Albert wrote:

Well,

      My honeypot is currently inside of my internal network.
I have it on its own internal private subnet separated from
all my other machines. I have my gateway limit X connections
per X minutes/seconds outbound from my honeypot. Thus if my
machine does get breached while im not watching (which usually -
happens) the attacker can't do much with the limitations I empose.+
(I've even have had them to the point of rm'ing my machine :( ).
The Honeynet Project (correct me if im wrong) is trying to use
snort-inline to block the "stupid" attacks(ie: CodeRed, IIS Unicode, etc.)
and other well known attacks to see if they can get something new.
Which is a great idea. HTH.

Cheers!
   Alberto Gonzalez.

Current thread:

About Data Control Martim Carbone (Jan 17)
- Re: About Data Control Anton A. Chuvakin (Jan 17)
- Re: About Data Control Johan Augustsson (Jan 18)
- <Possible follow-ups>
- RE: About Data Control Gonzalez, Albert (Jan 17)
  - RE: About Data Control mike (Jan 17)
- Fwd: Re: About Data Control Eloi Granado (Jan 27)