RE: Inoculation Scripts

["Joshua Berry" <jberry () PENSON COM>]

I use Snort with Flexresp and Snort Inline, I am just playing around
with this for now.  While Snort-Inline or Flexresp can keep resetting or
blocking connections, this solution actually removes the worm and cleans
up the system.  The reality is that large networks have an incredibly
difficult time patching systems effectively and I am just playing around
with this in a test network to see how well it works.

-----Original Message-----
From: Valdis.Kletnieks () vt edu [mailto:Valdis.Kletnieks () vt edu] 
Sent: Wednesday, July 21, 2004 1:29 PM
To: Joshua Berry
Cc: honeypots () securityfocus com
Subject: Re: Inoculation Scripts 

On Wed, 21 Jul 2004 09:56:07 CDT, Joshua Berry <jberry () PENSON COM>
said:
> Is anyone aware of any projects to develop updated inoculation scripts
> for honeyd to mitigate the latest worms like the blaster one found on:
> http://www.citi.umich.edu/u/provos/honeyd/msblast.html

Ouch. :)

An elegant solution, but not one I'd run on my networks.  The problem is
that it's
only useful in one specific scenario:

The person running the honeypot *has* the authority to update the
machine in question,
but does *not* have a way to actually make people get their machines
up-to-date.

You'd be on *much* firmer ground if the script didn't actually touch the
machine on
detecting a problem, but instead did the appropriate SNMP magic to the
network switch
to disable that machine's port...

You probably want to wander over to www.snort.org instead - there's this
in the FAQ:

---
5.7 What is the best way to use snort to block attack traffic?

snort-inline > hogwash >> SnortSAM|Guardian >> flexresp
---

There's no need for a honeypot - this is is more a traditional IDS/IPS
function...