Honeypots mailing list archives

Re: Inoculation Scripts

From: Valdis.Kletnieks () vt edu
Date: Wed, 21 Jul 2004 14:28:36 -0400

On Wed, 21 Jul 2004 09:56:07 CDT, Joshua Berry <jberry () PENSON COM>  said:

Is anyone aware of any projects to develop updated inoculation scripts
for honeyd to mitigate the latest worms like the blaster one found on:
http://www.citi.umich.edu/u/provos/honeyd/msblast.html


Ouch. :)

An elegant solution, but not one I'd run on my networks.  The problem is that it's
only useful in one specific scenario:

The person running the honeypot *has* the authority to update the machine in question,
but does *not* have a way to actually make people get their machines up-to-date.

You'd be on *much* firmer ground if the script didn't actually touch the machine on
detecting a problem, but instead did the appropriate SNMP magic to the network switch
to disable that machine's port...

You probably want to wander over to www.snort.org instead - there's this in the FAQ:

---
5.7 What is the best way to use snort to block attack traffic?

snort-inline > hogwash >> SnortSAM|Guardian >> flexresp
---

There's no need for a honeypot - this is is more a traditional IDS/IPS function...

Attachment: _bin
Description:

Current thread:

Inoculation Scripts Joshua Berry (Jul 21)
- Re: Inoculation Scripts Valdis . Kletnieks (Jul 21)
- <Possible follow-ups>
- RE: Inoculation Scripts Joshua Berry (Jul 21)
- RE: Inoculation Scripts Joshua Berry (Jul 21)
  - Re: Inoculation Scripts Valdis . Kletnieks (Jul 21)