Snort mailing list archives

Re: VERY simple 'virtual' honeypot

From: Glenn Forbes Fleming Larratt <glratt () io com>
Date: Thu, 7 Mar 2002 23:40:40 -0600 (CST)

I used LaBrea in this way - created a bogus /24 off my production 
network, poked a global allow for that /24 at my border, fired
up LaBrea and Snort on an unaddressed laptop on the /24, and
listened.

Some points of order regarding this quasi-honeypot:

- no dns, no outbound traffic, no nothing to indicate to an external
        party that the subnet even existed - thus, any traffic coming to
        that network was either misdirected or hostile;
        
- historically, the subnet had been unused and unallocated out of our
        /16 core (.edu network) for over two years;

- the subnet came into existence on Thu Dec 20 2001 sometime after 4:15 p.m.;
                                    ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
- in the first full day of listening (December 21st) - one 24-hour period:
                                                       ^^^^^^^^^^^^^^^^^^
================================================================
- 1,702 different external hosts attempted at least one initial TCP connection;

- 1,026 attempted more than one;

- 335 attempted 20 or more;

- 71 attempted 255 or more, thereby scanning the entire subnet multiple times -
        of the top 60 or so:

        - 12 unique IP's came from U.S. educational institutions
        (UCLA 128.97.0.0/16, UVA 128.143.0.0/16, UGA 128.192.0.0/16,
        SunyBuffalo 128.205.0.0/16, UWA 128.208.0.0/16,
        UHI 128.171.0.0/16, SunyBinghamtom 128.226.0.0/16,
        Syracuse 128.230.0.0/16, WashUStLouis 128.252.0.0/16,
        UOKNorman 129.15.0.0/16, UMI 131.213.0.0/16);

        - 12 unique IP's came from US providers (HSACorp 24.240.23.0/24,
        AOL 172.128.0.0/10, rr.com 24.24.0.0/13sortof, genuity.net 4.0.0.0/8,
        naxs.com 216.98.64.0/19, arnet 209.40.128.0/18, UUNET 208.254.72.0/23,
        Comastpc.com 68.40.0.0/13, @home 65.9.112.0/20,
        SBCIS/PacBell 63.192.0.0/12);

        - 5 came from a random US ".com" (tag.com 216.177.32.0/19,
        mrws.net 63.166.61.0/24, "Oilgear" (AT&T) 209.36.148.0/24,
        BritSys.com 192.216.171.0/24, RuralNet 216.169.69.32/27);

        - 3 came from Canada (BellNexxia 65.93.160.0/19,
        ShawFiberlink 24.80.0.0/13, hyperlinx.net 207.107.55.0/24);

        - 3 came from Mexico (UnivAutonomaZacatecas 148.217.0.0/16,
        MERKANET 200.23.95.0/24, Avantel 148.240.0.0/16);

        - 2 came from South America (cable.net.co-Colombia 200.68.160.0/21,
        ImpSat-Venezuela 200.31.4.0/24);

        - 5 came from Germany (denoc.net 62.116.128.0/20,
        JWGoethe-UnivFrankfurt 141.2.0.0/16, t-online.com 80.128.0.0/12sortof,
        t-online.com 217.80.0.0/12sortof);

        - 4 came from France (internet-fr.net 212.37.210.0/22,
        wanadoo 217.128.39.0/24, wanadoo 193.252.192.0/24,
        wanadoo 80.13.214.0/24);

        - 2 came from Norway (nextgentel.com 213.145.160.0/19,
        NTANET 128.39.0.0/16);

        - 2 came from the Netherlands (tiscali.nl 195.241.0.0/16,
        UnivUtrecht 131.211.0.0/16);

        - 6 came from other European countries
        (InstitutoDaAgua-Portugal 193.136.235.0/24,
        Lidkopings-Sweden 195.84.233.128/26, MedUnivLodz-Poland 212.5.198.0/23,
        telefonica.es-Spain 213.96.0.0/15, tin.it-Italy 62.211.128.0/17,
        hispeed.ch-Switzerland 217.162.0.0/16sortof);

        - 1 came from Australia (bigpond.net.au 203.40.0.0/13);

        - 1 came from India (vsnl.net 203.199.84.128/26);

        - 9 came from Korea (rapitel.co.kr 211.189.198.0/25,
        KoreaTelecom 128.134.0.0/16, nuri.net 210.1221.56.192/26,
        kornet.net 61.73.128.0/20sortof, kornet 61.73.152.0/21sortof);

        - 2 came from China (Chinanet 202.104.0.0/16,
        LianyungangFoodMfry 61.155.96.0/19sortof);

        - 1 came from Taiwan (TANET 140.109.0.0/16);

        - 1 came from Japan (u-tokyo.ac.jp 133.11.0.0/16);

- activity peaks occurred 6-7am (97 hits), 11-12am (148), 5-6pm (158),
        6-7pm (202), and 7-8pm (295); [all times CST]

- most of these were reconnaissance (see below).
================
- of the initial connection attempts, 845 were to HTTP port 80 (presumably
        Code Red, Nimda, or more serious Web attackers), 243 were to FTP port
        21 (widely vulnerable), 242 were to SOCKS/Wingate port 1080 (widely
        exploitable), 232 were to ssh port 22 (recent exploits), and 14
        were to portmapper port 111 (an oldie but a goodie - widely
        exploitable, but most people block it nowadays)
================
- 56 hosts completed a TCP connection, 53 more than one, 43 hosts completed
        20 or more, and 9 hosts completed 255 or more; this number was
        presumably attempting exploits in realtime.
================
- 4 internal security issues were detected:
        3 incidences of Code Red or Nimda
        1 incidence of a compromised internal machine portscanning ssh
================

        -g

On Thu, 7 Mar 2002, Lance Spitzner wrote:

Most honeypots work on the same concept, a system that has no
production activity.  You deploy a box that has no production
value, any packets going to that box indicate a probe, scan, or
attack.  This helps reduce both false positives and false
negatives.  Exampls of such honeypots include BackOfficer Friendly,
DTK, ManTrap, Specter, and Honeynets.

However, I was just thinking, why bother deploying the box?
Why not create a list of Snort rules that generate an alert
whenever a TCP/SYN packet or UDP packet is sent to an IP
address that has no system?  This could incidate a probe,
scan or attack, the same principles of a honeypot, but
without deploying an actual system.

Of course this does not give you the Data Capture capabilites
of a honeypot, as there is no system for the attacker to
interact with.  However, this could be used to help detect
scanning or probing activity.

Thoughts?


-- 
Glenn Forbes Fleming Larratt         The Lab Ratt (not briggs :-) 
glratt () io com                        http://www.io.com/~glratt  
There are imaginary bugs to chase in heaven.


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

VERY simple 'virtual' honeypot Lance Spitzner (Mar 07)
- Re: VERY simple 'virtual' honeypot Kurt Seifried (Mar 07)
  - RE: VERY simple 'virtual' honeypot Thomas Porter, Ph.D. (Mar 07)
    - Re: VERY simple 'virtual' honeypot Kurt Seifried (Mar 07)
  - Re: VERY simple 'virtual' honeypot David Watson (Mar 08)
  - Re: VERY simple 'virtual' honeypot nfudd (Mar 08)
- Re: VERY simple 'virtual' honeypot Brian Caswell (Mar 07)
  - RE: Re: VERY simple 'virtual' honeypot Chris Grout (Mar 07)
- Re: VERY simple 'virtual' honeypot Ian O'Brien (Mar 07)
- Re: VERY simple 'virtual' honeypot Glenn Forbes Fleming Larratt (Mar 07)
- Re: VERY simple 'virtual' honeypot Jim Forster (Mar 07)
- Re: VERY simple 'virtual' honeypot John Kinsella (Mar 07)
- Re: VERY simple 'virtual' honeypot Gideon Lenkey (Mar 08)
  - Re: VERY simple 'virtual' honeypot Kerberus (Mar 08)
- RE: VERY simple 'virtual' honeypot Rick Francis (Mar 08)
- Re: VERY simple 'virtual' honeypot Edward Balas (Mar 08)
- Re: VERY simple 'virtual' honeypot Frank Knobbe (Mar 08)
- Re: VERY simple 'virtual' honeypot Frank Knobbe (Mar 08)
- Re: VERY simple 'virtual' honeypot James Hoagland (Mar 08)
- Re: VERY simple 'virtual' honeypot George Bakos (Mar 08)

(Thread continues...)