Snort mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Re: VERY simple 'virtual' honeypot

From: "Chris Grout" <cgrout () s4r com>
Date: Thu, 7 Mar 2002 22:39:05 -0800
Well, all these things do not accomplish one of the main reasons many
people run honeypots.  To study exactly what happens *after* the scans
are done, the exploits sent, and/or the service crashed.

A good number of exploits cause something to happen that requires the
interaction of a normal OS with normal system tools (i.e.  bind a root
shell, rcp/tftp in a rootkit, build a trojan'd sshd, nc back home...).
All of which you might be able to determine that they were attempting
with some of these methods mentioned earlier, but then what?  What was
that "rootkit" going to do to my box?  Was it custom written for me?
How did that attack look to the OS or was anything even logged at the
host level?

If your purpose is to log unsolicited traffic, use the method Brian
mentions.  Pick an unused IP, and log 100% of traffic to it.  Anyone
hitting it instantly becomes suspicious.

If your purpose is to "catch and record" that unsolicited traffic after
the 3 way handshake was successful, then I believe a number of instances
of netcat bound to those interesting ports, piping to files, should work
just fine.

Now if you want to allow the exploits and attacks to complete, study any
really activity after the 'sploit does it business, or anything more in
depth like this, then you're going to need to run a real OS.  Especially
to catch anything new.  Sure many products simulate vulnerable system
responses, but in my opinion, those results are tainted.

Good schtuff...

Chris

-----Original Message-----
From: snort-users-admin () lists sourceforge net
[mailto:snort-users-admin () lists sourceforge net]On Behalf Of Brian
Caswell
Sent: Thursday, March 07, 2002 8:55 PM
To: Lance Spitzner
Cc: Snort-Users (E-mail); honeypots () securityfocus com
Subject: [Snort-users] Re: VERY simple 'virtual' honeypot


On Thu, Mar 07, 2002 at 10:34:16PM -0600, Lance Spitzner wrote:

However, I was just thinking, why bother deploying the box?
Why not create a list of Snort rules that generate an alert
whenever a TCP/SYN packet or UDP packet is sent to an IP
address that has no system?  This could incidate a probe,
scan or attack, the same principles of a honeypot, but
without deploying an actual system.


Heck, for those of us with nazi firewalls, those will do just
fine.  If you use PF [0], you can log all incoming blocked
packets and then view them with Snort (with a small patch) or
tcpdump.

Thats cheaper than wasting an IP, and most people that would
run a honeypot already watch their firewall logs.

[0] there is probably something like that in linux, but the
    only thing I use linux for is building RPMs of snort :)

-brian




_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: