Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: VERY simple 'virtual' honeypot

From: "John Kinsella" <jlk () thrashyour com>
Date: Thu, 7 Mar 2002 23:19:38 -0800
On Thu, Mar 07, 2002 at 10:34:16PM -0600, Lance Spitzner wrote:
(...)

However, I was just thinking, why bother deploying the box?
Why not create a list of Snort rules that generate an alert
whenever a TCP/SYN packet or UDP packet is sent to an IP
address that has no system?  This could incidate a probe,
scan or attack, the same principles of a honeypot, but
without deploying an actual system.


I'm presuming one would have Snort already set up, and just are
skipping the external honeypot part.  That said, what are you gaining
by seeing somebody scan/probe an IP with public services vs one
with no production services?  Only win I see from having the rules
for IPs not tied to a system is being able to see how targeted a
scan/attack is.

Finding out what somebody does when..."presented" with a vulnerability
is where the value comes from in a honey(pot/net), IMHO.

John

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: