Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: VERY simple 'virtual' honeypot

From: Brian Caswell <bmc () mitre org>
Date: Thu, 7 Mar 2002 23:54:50 -0500
On Thu, Mar 07, 2002 at 10:34:16PM -0600, Lance Spitzner wrote:

However, I was just thinking, why bother deploying the box?
Why not create a list of Snort rules that generate an alert
whenever a TCP/SYN packet or UDP packet is sent to an IP
address that has no system?  This could incidate a probe,
scan or attack, the same principles of a honeypot, but
without deploying an actual system.


Heck, for those of us with nazi firewalls, those will do just 
fine.  If you use PF [0], you can log all incoming blocked 
packets and then view them with Snort (with a small patch) or 
tcpdump.

Thats cheaper than wasting an IP, and most people that would
run a honeypot already watch their firewall logs.

[0] there is probably something like that in linux, but the 
    only thing I use linux for is building RPMs of snort :)

-brian 

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: