Honeypots mailing list archives
RE: Inoculation Scripts
From: "Joshua Berry" <jberry () PENSON COM>
Date: Wed, 21 Jul 2004 13:31:15 -0500
I use Snort with Flexresp and Snort Inline, I am just playing around with this for now. While Snort-Inline or Flexresp can keep resetting or blocking connections, this solution actually removes the worm and cleans up the system. The reality is that large networks have an incredibly difficult time patching systems effectively and I am just playing around with this in a test network to see how well it works. -----Original Message----- From: Valdis.Kletnieks () vt edu [mailto:Valdis.Kletnieks () vt edu] Sent: Wednesday, July 21, 2004 1:29 PM To: Joshua Berry Cc: honeypots () securityfocus com Subject: Re: Inoculation Scripts On Wed, 21 Jul 2004 09:56:07 CDT, Joshua Berry <jberry () PENSON COM> said:
Is anyone aware of any projects to develop updated inoculation scripts for honeyd to mitigate the latest worms like the blaster one found on: http://www.citi.umich.edu/u/provos/honeyd/msblast.html
Ouch. :) An elegant solution, but not one I'd run on my networks. The problem is that it's only useful in one specific scenario: The person running the honeypot *has* the authority to update the machine in question, but does *not* have a way to actually make people get their machines up-to-date. You'd be on *much* firmer ground if the script didn't actually touch the machine on detecting a problem, but instead did the appropriate SNMP magic to the network switch to disable that machine's port... You probably want to wander over to www.snort.org instead - there's this in the FAQ: --- 5.7 What is the best way to use snort to block attack traffic? snort-inline > hogwash >> SnortSAM|Guardian >> flexresp --- There's no need for a honeypot - this is is more a traditional IDS/IPS function...
Current thread:
- Inoculation Scripts Joshua Berry (Jul 21)
- Re: Inoculation Scripts Valdis . Kletnieks (Jul 21)
- <Possible follow-ups>
- RE: Inoculation Scripts Joshua Berry (Jul 21)
- RE: Inoculation Scripts Joshua Berry (Jul 21)
- Re: Inoculation Scripts Valdis . Kletnieks (Jul 21)