Snort mailing list archives
RE: Re: VERY simple 'virtual' honeypot
From: "Chris Grout" <cgrout () s4r com>
Date: Thu, 7 Mar 2002 22:39:05 -0800
Well, all these things do not accomplish one of the main reasons many people run honeypots. To study exactly what happens *after* the scans are done, the exploits sent, and/or the service crashed. A good number of exploits cause something to happen that requires the interaction of a normal OS with normal system tools (i.e. bind a root shell, rcp/tftp in a rootkit, build a trojan'd sshd, nc back home...). All of which you might be able to determine that they were attempting with some of these methods mentioned earlier, but then what? What was that "rootkit" going to do to my box? Was it custom written for me? How did that attack look to the OS or was anything even logged at the host level? If your purpose is to log unsolicited traffic, use the method Brian mentions. Pick an unused IP, and log 100% of traffic to it. Anyone hitting it instantly becomes suspicious. If your purpose is to "catch and record" that unsolicited traffic after the 3 way handshake was successful, then I believe a number of instances of netcat bound to those interesting ports, piping to files, should work just fine. Now if you want to allow the exploits and attacks to complete, study any really activity after the 'sploit does it business, or anything more in depth like this, then you're going to need to run a real OS. Especially to catch anything new. Sure many products simulate vulnerable system responses, but in my opinion, those results are tainted. Good schtuff... Chris -----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net]On Behalf Of Brian Caswell Sent: Thursday, March 07, 2002 8:55 PM To: Lance Spitzner Cc: Snort-Users (E-mail); honeypots () securityfocus com Subject: [Snort-users] Re: VERY simple 'virtual' honeypot On Thu, Mar 07, 2002 at 10:34:16PM -0600, Lance Spitzner wrote:
However, I was just thinking, why bother deploying the box? Why not create a list of Snort rules that generate an alert whenever a TCP/SYN packet or UDP packet is sent to an IP address that has no system? This could incidate a probe, scan or attack, the same principles of a honeypot, but without deploying an actual system.
Heck, for those of us with nazi firewalls, those will do just fine. If you use PF [0], you can log all incoming blocked packets and then view them with Snort (with a small patch) or tcpdump. Thats cheaper than wasting an IP, and most people that would run a honeypot already watch their firewall logs. [0] there is probably something like that in linux, but the only thing I use linux for is building RPMs of snort :) -brian _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- VERY simple 'virtual' honeypot Lance Spitzner (Mar 07)
- Re: VERY simple 'virtual' honeypot Kurt Seifried (Mar 07)
- RE: VERY simple 'virtual' honeypot Thomas Porter, Ph.D. (Mar 07)
- Re: VERY simple 'virtual' honeypot Kurt Seifried (Mar 07)
- Re: VERY simple 'virtual' honeypot David Watson (Mar 08)
- Re: VERY simple 'virtual' honeypot nfudd (Mar 08)
- RE: VERY simple 'virtual' honeypot Thomas Porter, Ph.D. (Mar 07)
- Re: VERY simple 'virtual' honeypot Brian Caswell (Mar 07)
- RE: Re: VERY simple 'virtual' honeypot Chris Grout (Mar 07)
- Re: VERY simple 'virtual' honeypot Ian O'Brien (Mar 07)
- Re: VERY simple 'virtual' honeypot Glenn Forbes Fleming Larratt (Mar 07)
- Re: VERY simple 'virtual' honeypot Jim Forster (Mar 07)
- Re: VERY simple 'virtual' honeypot John Kinsella (Mar 07)
- Re: VERY simple 'virtual' honeypot Gideon Lenkey (Mar 08)
- Re: VERY simple 'virtual' honeypot Kerberus (Mar 08)
- RE: VERY simple 'virtual' honeypot Rick Francis (Mar 08)
- Re: VERY simple 'virtual' honeypot Edward Balas (Mar 08)
- Re: VERY simple 'virtual' honeypot Frank Knobbe (Mar 08)
- Re: VERY simple 'virtual' honeypot Frank Knobbe (Mar 08)
(Thread continues...)
- Re: VERY simple 'virtual' honeypot Kurt Seifried (Mar 07)