Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: VERY simple 'virtual' honeypot

From: "Ian O'Brien" <iob () xilinx com>
Date: Thu, 07 Mar 2002 21:36:27 -0800
Lance Spitzner wrote:






However, I was just thinking, why bother deploying the box?
Why not create a list of Snort rules that generate an alert
whenever a TCP/SYN packet or UDP packet is sent to an IP
address that has no system?  This could incidate a probe,
scan or attack, the same principles of a honeypot, but
without deploying an actual system.

Of course this does not give you the Data Capture capabilites
of a honeypot, as there is no system for the attacker to
interact with.  However, this could be used to help detect
scanning or probing activity.
if your snort (or other sensor) is part of the network infrastructure (a bridge, a switch or a router) then you will have the packet. if not, then you should really only see an ARP request from the router.
Of course, you can proxy ARP for the addresses on or near your sensor box. then you should see the packets, and you even have the possibility to interact with the attack. I think that functionality is very much what LaBrea does. 


Ian
--

Ian O'Brien      What kind of head of security would I be if I let people
408-696-2182=Pgr       like me know things that I'm not supposed to know?
iob () xilinx com                                  --- Michael Garibaldi, B5


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: