Snort mailing list archives

Re: VERY simple 'virtual' honeypot

From: Rob Thomas <robt () cymru com>
Date: Fri, 8 Mar 2002 10:00:40 -0600 (CST)

Hi, Marcus.

] For that matter, couldn't you _almost_ put something like that together
] using filtering rules in a router?  Syslog 'em off the router and process 'em
] on a backend system.

Be a bit cautious here.  During a surfeit of these naughty packets, the
logging activity on the router may lead to a home-brew DoS.  :/  If one
attempts to punt the syslog messages, or uses keywords such as "log" or
"log-input", the CPU can become overwhelmed quite quickly.  How this
affects the stability of the router is largely dependent on the router
model.  However, there is another, somewhat less dangerous, way.  :)

If you are running NetFlow on the router, you could export the flows to
a remote host.  This isn't quite as painful as punting off syslog
messages (again, depends on your gear) based on logging ACLs.  With
NetFlow you will have all of the flow information:  source/dest IP,
source/dest port, protocol, and number of packets.  This is how I track
a lot of naughty packets, without letting them ever penetrate my border.
It is sufficient to determine the scan du jour and it can be run in both
directions.  By watching your outbound flows you can quickly determine
which hosts have been compromised by the latest sploit, e.g. "why is my
server farm sending out copious UDP 137 packets?"

You do not have to export the flows.  I run NetFlow on several routers
where exporting the flows just isn't reasonable (for myriad reasons).
If, however, I receive a call that there is a rumpus, I can log into the
router and run a sh ip cac flo to quickly determine the whats, wheres,
and whys.  It can be very handy during DoS attacks.  See below:

http://www.cymru.com/~robt/Docs/Articles/dos-and-vip.html
http://www.cymru.com/~robt/Docs/Articles/tracking-spoofed.html

Thanks,
Rob.
--
Rob Thomas
http://www.cymru.com/~robt
ASSERT(coffee != empty);



_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

RE: VERY simple 'virtual' honeypot, (continued)
- - - RE: VERY simple 'virtual' honeypot Ryan Russell (Mar 09)
    - RE: VERY simple 'virtual' honeypot Earthlink (Mar 09)
- RE: VERY simple 'virtual' honeypot Alex Collins (Mar 08)
  - RE: VERY simple 'virtual' honeypot Michael Clark (Mar 08)
  - Re: RE: VERY simple 'virtual' honeypot Ashley Thomas (Mar 08)
    - Re: RE: VERY simple 'virtual' honeypot Ryan Russell (Mar 08)
    - Re: RE: VERY simple 'virtual' honeypot Ashley Thomas (Mar 08)
- RE: VERY simple 'virtual' honeypot Sawyer, John H. (Mar 08)
  - Re: RE: VERY simple 'virtual' honeypot Frank Knobbe (Mar 08)
- Re: VERY simple 'virtual' honeypot Marcus J. Ranum (Mar 08)
  - Re: VERY simple 'virtual' honeypot Rob Thomas (Mar 08)
- Re: VERY simple 'virtual' honeypot Dug Song (Mar 08)
- RE: VERY simple 'virtual' honeypot Williams Jon (Mar 08)
- Re: RE: VERY simple 'virtual' honeypot Davis Ray Sickmon, Jr (Mar 08)
- re: VERY simple 'virtual' honeypot Wynn Fenwick (Mar 09)