Honeypots mailing list archives
Re: Inoculation Scripts
From: Valdis.Kletnieks () vt edu
Date: Wed, 21 Jul 2004 14:28:36 -0400
On Wed, 21 Jul 2004 09:56:07 CDT, Joshua Berry <jberry () PENSON COM> said:
Is anyone aware of any projects to develop updated inoculation scripts for honeyd to mitigate the latest worms like the blaster one found on: http://www.citi.umich.edu/u/provos/honeyd/msblast.html
Ouch. :) An elegant solution, but not one I'd run on my networks. The problem is that it's only useful in one specific scenario: The person running the honeypot *has* the authority to update the machine in question, but does *not* have a way to actually make people get their machines up-to-date. You'd be on *much* firmer ground if the script didn't actually touch the machine on detecting a problem, but instead did the appropriate SNMP magic to the network switch to disable that machine's port... You probably want to wander over to www.snort.org instead - there's this in the FAQ: --- 5.7 What is the best way to use snort to block attack traffic? snort-inline > hogwash >> SnortSAM|Guardian >> flexresp --- There's no need for a honeypot - this is is more a traditional IDS/IPS function...
Attachment:
_bin
Description:
Current thread:
- Inoculation Scripts Joshua Berry (Jul 21)
- Re: Inoculation Scripts Valdis . Kletnieks (Jul 21)
- <Possible follow-ups>
- RE: Inoculation Scripts Joshua Berry (Jul 21)
- RE: Inoculation Scripts Joshua Berry (Jul 21)
- Re: Inoculation Scripts Valdis . Kletnieks (Jul 21)