Snort mailing list archives
Re: VERY simple 'virtual' honeypot
From: David Watson <david.watson () ioko365 com>
Date: Fri, 08 Mar 2002 12:07:55 +0000
Lance / Kurt,I had been thinking about exactly the same idea myself recently, simply for scan trend analysis on multiple networks / sites without having to deploy a full honeynet. How about something as simple as a Trinux boot disk with LaBrea tar pit running on an empty Internet connected segment? This would respond to incoming connection requests to any IP address on the local LAN and attempt to either hang on to the connections or reset them politely. The usual snort config would provide useful alerting and logging information, whilst with connection trapping enabled some attackers might be fooled into believing there were actual physical systems and coming back for more detailed scans?
Thanks, David At 21:47 07/03/2002 -0700, Kurt Seifried wrote:
> Most honeypots work on the same concept, a system that has no > production activity. You deploy a box that has no production > value, any packets going to that box indicate a probe, scan, or > attack. This helps reduce both false positives and false > negatives. Exampls of such honeypots include BackOfficer Friendly, > DTK, ManTrap, Specter, and Honeynets. > > However, I was just thinking, why bother deploying the box? > Why not create a list of Snort rules that generate an alert > whenever a TCP/SYN packet or UDP packet is sent to an IP > address that has no system? This could incidate a probe, > scan or attack, the same principles of a honeypot, but > without deploying an actual system. > > Of course this does not give you the Data Capture capabilites > of a honeypot, as there is no system for the attacker to > interact with. However, this could be used to help detect > scanning or probing activity. Better yet have snort spoof a reply (i.e. pretend that a valid port is there). Then the attacker comes back later for more giving you more information and wasting more of their time. Then you get a bit of the best of both worlds. I'm sure snort, portsentry or something similar could easily be hacked up to do it. Alternative use port redirects on Linux/OpenBSD to redirect stuff for unused networks to a "legit" server that will reply with basic stuff. > Thoughts? > > -- > Lance Spitzner > http://project.honeynet.org Kurt Seifried, kurt () seifried org A15B BEE5 B391 B9AD B0EF AEB0 AD63 0B4E AD56 E574 http://seifried.org/security/ http://www.idefense.com/digest.html --------------------------------------------------------------------- To unsubscribe, e-mail: honeypots-unsubscribe () securityfocus com For additional commands, e-mail: honeypots-help () securityfocus com --------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities. Please, see: https://alerts.securityfocus.com/
-- David Watson Voice: +44 1904 438000 Technical Manager Fax: +44 1904 435450 ioko365 Email: david.watson () ioko365 com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- VERY simple 'virtual' honeypot Lance Spitzner (Mar 07)
- Re: VERY simple 'virtual' honeypot Kurt Seifried (Mar 07)
- RE: VERY simple 'virtual' honeypot Thomas Porter, Ph.D. (Mar 07)
- Re: VERY simple 'virtual' honeypot Kurt Seifried (Mar 07)
- Re: VERY simple 'virtual' honeypot David Watson (Mar 08)
- Re: VERY simple 'virtual' honeypot nfudd (Mar 08)
- RE: VERY simple 'virtual' honeypot Thomas Porter, Ph.D. (Mar 07)
- Re: VERY simple 'virtual' honeypot Brian Caswell (Mar 07)
- RE: Re: VERY simple 'virtual' honeypot Chris Grout (Mar 07)
- Re: VERY simple 'virtual' honeypot Ian O'Brien (Mar 07)
- Re: VERY simple 'virtual' honeypot Glenn Forbes Fleming Larratt (Mar 07)
- Re: VERY simple 'virtual' honeypot Jim Forster (Mar 07)
- Re: VERY simple 'virtual' honeypot John Kinsella (Mar 07)
- Re: VERY simple 'virtual' honeypot Gideon Lenkey (Mar 08)
- Re: VERY simple 'virtual' honeypot Kerberus (Mar 08)
- RE: VERY simple 'virtual' honeypot Rick Francis (Mar 08)
(Thread continues...)
- Re: VERY simple 'virtual' honeypot Kurt Seifried (Mar 07)