Snort mailing list archives
Re: VERY simple 'virtual' honeypot
From: "Ian O'Brien" <iob () xilinx com>
Date: Thu, 07 Mar 2002 21:36:27 -0800
Lance Spitzner wrote:
However, I was just thinking, why bother deploying the box? Why not create a list of Snort rules that generate an alert whenever a TCP/SYN packet or UDP packet is sent to an IP address that has no system? This could incidate a probe, scan or attack, the same principles of a honeypot, but without deploying an actual system. Of course this does not give you the Data Capture capabilites of a honeypot, as there is no system for the attacker to interact with. However, this could be used to help detect scanning or probing activity.
if your snort (or other sensor) is part of the network infrastructure (a bridge, a switch or a router) then you will have the packet. if not, then you should really only see an ARP request from the router.
Of course, you can proxy ARP for the addresses on or near your sensor box. then you should see the packets, and you even have the possibility to interact with the attack. I think that functionality is very much what LaBrea does.
Ian -- Ian O'Brien What kind of head of security would I be if I let people 408-696-2182=Pgr like me know things that I'm not supposed to know? iob () xilinx com --- Michael Garibaldi, B5 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- VERY simple 'virtual' honeypot Lance Spitzner (Mar 07)
- Re: VERY simple 'virtual' honeypot Kurt Seifried (Mar 07)
- RE: VERY simple 'virtual' honeypot Thomas Porter, Ph.D. (Mar 07)
- Re: VERY simple 'virtual' honeypot Kurt Seifried (Mar 07)
- Re: VERY simple 'virtual' honeypot David Watson (Mar 08)
- Re: VERY simple 'virtual' honeypot nfudd (Mar 08)
- RE: VERY simple 'virtual' honeypot Thomas Porter, Ph.D. (Mar 07)
- Re: VERY simple 'virtual' honeypot Brian Caswell (Mar 07)
- RE: Re: VERY simple 'virtual' honeypot Chris Grout (Mar 07)
- Re: VERY simple 'virtual' honeypot Ian O'Brien (Mar 07)
- Re: VERY simple 'virtual' honeypot Glenn Forbes Fleming Larratt (Mar 07)
- Re: VERY simple 'virtual' honeypot Jim Forster (Mar 07)
- Re: VERY simple 'virtual' honeypot John Kinsella (Mar 07)
- Re: VERY simple 'virtual' honeypot Gideon Lenkey (Mar 08)
- Re: VERY simple 'virtual' honeypot Kerberus (Mar 08)
- RE: VERY simple 'virtual' honeypot Rick Francis (Mar 08)
- Re: VERY simple 'virtual' honeypot Edward Balas (Mar 08)
- Re: VERY simple 'virtual' honeypot Frank Knobbe (Mar 08)
- Re: VERY simple 'virtual' honeypot Frank Knobbe (Mar 08)
- Re: VERY simple 'virtual' honeypot James Hoagland (Mar 08)
(Thread continues...)
- Re: VERY simple 'virtual' honeypot Kurt Seifried (Mar 07)