Snort mailing list archives
Re: VERY simple 'virtual' honeypot
From: Jim Forster <jforster () rapidnet com>
Date: Thu, 7 Mar 2002 22:53:30 -0700
<ramble> I've been in discussion over this topic for quite some time with some friends / sysadmins, and granted, some arguments. You put up a box, no reverse, no forward lookups, and let it listen. ANYTHING coming to it, is obviously bad from SYN 1. - But, having it react in some way is the question.. There is no reason whatsoever this system would ever get any traffic, so how do you handle incoming requests? Retaliation.net sure sounded good, but it's taken, so that kinda crushed that dream. >:P I've looked at LaBrea, and I like the idea. They come in (unwelcomed) and the door locks behind them. But I agree here, letting them "think" the system just responded might be a "hidden accounting box on 'x's network" would yield much more interesting results than just holding someone / worms at bay. (as well as let me see what kind of '$up4r-r337" new script is out there) I've seen people hit a FreeBSD system that obviously misread or simply didn't understand the results of the scan/probe only to come back and manually (I'm guessing, because of the typos) try to use Unicode exploits to get into a "nimda-infected" box. Not to mention systems from 2 locations I work for have open FTP only to close it and watch for them to come back. I openly admit I'm a "noobie" to honeypots, but I'm really interested in thoughts on the subject, and the possible correlation with Snort. The multi-IP bindings seems like a good idea, but I worry about having "joe sysadmin" install it and take down their router. :) Reacting in any way that may harm the attacker is "illegal" for all but some of those heavy .gov proggies - SideWinder, as far as I know. - correct? Or is it even still used? I guess it all depends on how you classify 'react'. Passive, or aggressive. I guess personally, it depends on each case, and how many times they have come back (intent). One kid with a win proggie looking for open windows shares isn't really going to be a problem. Someone checking my FTP and SSH servers over a few class C's, then coming back a week later to try and exploit them all is. Truth is - The worms are (slowly) getting better, the kiddies are learning to compile... Things are going to change.. It's a question of 'how' and 'when' can we react to it, and to what extent can we do so? Or can we make enough bait systems wide probing becomes useless due to the sheer numbers of responses by hosts that "want" you to come in. I'd guess with current laws, bait and watch is our only safe reaction? </ramble> -Jim On Thu, 7 Mar 2002 22:34:16 -0600 (CST), Lance Spitzner wrote:
Most honeypots work on the same concept, a system that has no production activity. You deploy a box that has no production value, any packets going to that box indicate a probe, scan, or attack. This helps reduce both false positives and false negatives. Exampls of such honeypots include BackOfficer Friendly, DTK, ManTrap, Specter, and Honeynets. However, I was just thinking, why bother deploying the box? Why not create a list of Snort rules that generate an alert whenever a TCP/SYN packet or UDP packet is sent to an IP address that has no system? This could incidate a probe, scan or attack, the same principles of a honeypot, but without deploying an actual system. Of course this does not give you the Data Capture capabilites of a honeypot, as there is no system for the attacker to interact with. However, this could be used to help detect scanning or probing activity. Thoughts?
-- Jim Forster, jforster () rapidnet com on 03/07/2002 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- VERY simple 'virtual' honeypot Lance Spitzner (Mar 07)
- Re: VERY simple 'virtual' honeypot Kurt Seifried (Mar 07)
- RE: VERY simple 'virtual' honeypot Thomas Porter, Ph.D. (Mar 07)
- Re: VERY simple 'virtual' honeypot Kurt Seifried (Mar 07)
- Re: VERY simple 'virtual' honeypot David Watson (Mar 08)
- Re: VERY simple 'virtual' honeypot nfudd (Mar 08)
- RE: VERY simple 'virtual' honeypot Thomas Porter, Ph.D. (Mar 07)
- Re: VERY simple 'virtual' honeypot Brian Caswell (Mar 07)
- RE: Re: VERY simple 'virtual' honeypot Chris Grout (Mar 07)
- Re: VERY simple 'virtual' honeypot Ian O'Brien (Mar 07)
- Re: VERY simple 'virtual' honeypot Glenn Forbes Fleming Larratt (Mar 07)
- Re: VERY simple 'virtual' honeypot Jim Forster (Mar 07)
- Re: VERY simple 'virtual' honeypot John Kinsella (Mar 07)
- Re: VERY simple 'virtual' honeypot Gideon Lenkey (Mar 08)
- Re: VERY simple 'virtual' honeypot Kerberus (Mar 08)
- RE: VERY simple 'virtual' honeypot Rick Francis (Mar 08)
- Re: VERY simple 'virtual' honeypot Edward Balas (Mar 08)
- Re: VERY simple 'virtual' honeypot Frank Knobbe (Mar 08)
- Re: VERY simple 'virtual' honeypot Frank Knobbe (Mar 08)
- Re: VERY simple 'virtual' honeypot James Hoagland (Mar 08)
- Re: VERY simple 'virtual' honeypot George Bakos (Mar 08)
- Re: VERY simple 'virtual' honeypot Martin Roesch (Mar 08)
(Thread continues...)
- Re: VERY simple 'virtual' honeypot Kurt Seifried (Mar 07)