Snort mailing list archives
Re: VERY simple 'virtual' honeypot
From: "John Kinsella" <jlk () thrashyour com>
Date: Thu, 7 Mar 2002 23:19:38 -0800
On Thu, Mar 07, 2002 at 10:34:16PM -0600, Lance Spitzner wrote: (...)
However, I was just thinking, why bother deploying the box? Why not create a list of Snort rules that generate an alert whenever a TCP/SYN packet or UDP packet is sent to an IP address that has no system? This could incidate a probe, scan or attack, the same principles of a honeypot, but without deploying an actual system.
I'm presuming one would have Snort already set up, and just are skipping the external honeypot part. That said, what are you gaining by seeing somebody scan/probe an IP with public services vs one with no production services? Only win I see from having the rules for IPs not tied to a system is being able to see how targeted a scan/attack is. Finding out what somebody does when..."presented" with a vulnerability is where the value comes from in a honey(pot/net), IMHO. John _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Re: VERY simple 'virtual' honeypot, (continued)
- Re: VERY simple 'virtual' honeypot Kurt Seifried (Mar 07)
- RE: VERY simple 'virtual' honeypot Thomas Porter, Ph.D. (Mar 07)
- Re: VERY simple 'virtual' honeypot Kurt Seifried (Mar 07)
- Re: VERY simple 'virtual' honeypot David Watson (Mar 08)
- Re: VERY simple 'virtual' honeypot nfudd (Mar 08)
- RE: VERY simple 'virtual' honeypot Thomas Porter, Ph.D. (Mar 07)
- Re: VERY simple 'virtual' honeypot Brian Caswell (Mar 07)
- RE: Re: VERY simple 'virtual' honeypot Chris Grout (Mar 07)
- Re: VERY simple 'virtual' honeypot Ian O'Brien (Mar 07)
- Re: VERY simple 'virtual' honeypot Glenn Forbes Fleming Larratt (Mar 07)
- Re: VERY simple 'virtual' honeypot Jim Forster (Mar 07)
- Re: VERY simple 'virtual' honeypot John Kinsella (Mar 07)
- Re: VERY simple 'virtual' honeypot Gideon Lenkey (Mar 08)
- Re: VERY simple 'virtual' honeypot Kerberus (Mar 08)
- RE: VERY simple 'virtual' honeypot Rick Francis (Mar 08)
- Re: VERY simple 'virtual' honeypot Edward Balas (Mar 08)
- Re: VERY simple 'virtual' honeypot Frank Knobbe (Mar 08)
- Re: VERY simple 'virtual' honeypot Frank Knobbe (Mar 08)
- Re: VERY simple 'virtual' honeypot James Hoagland (Mar 08)
- Re: VERY simple 'virtual' honeypot George Bakos (Mar 08)
- Re: VERY simple 'virtual' honeypot Martin Roesch (Mar 08)
- Re: VERY simple 'virtual' honeypot Jason Robertson (Mar 09)
(Thread continues...)
- Re: VERY simple 'virtual' honeypot Kurt Seifried (Mar 07)