Snort mailing list archives
Re: VERY simple 'virtual' honeypot
From: Frank Knobbe <fknobbe () knobbeits com>
Date: 08 Mar 2002 10:36:34 -0600
On Thu, 2002-03-07 at 22:34, Lance Spitzner wrote:
However, I was just thinking, why bother deploying the box? Why not create a list of Snort rules that generate an alert whenever a TCP/SYN packet or UDP packet is sent to an IP address that has no system? This could incidate a probe, scan or attack, the same principles of a honeypot, but without deploying an actual system.
Not really a long list. Here is what I use: block tcp any any -> $UNUSED any (msg:"TCP Port Scan";) block udp any any -> $UNUSED any (msg:"UDP Port Scan";) block icmp any any -> $UNUSED any (msg:"ICMP Scan";) $UNUSED includes all unused IP address, defined in snort.conf with [x.x.x.a,x.x.x.b,x.x.x.c] etc. Regards, Frank
Attachment:
signature.asc
Description: This is a digitally signed message part
Current thread:
- Re: VERY simple 'virtual' honeypot, (continued)
- Re: VERY simple 'virtual' honeypot Brian Caswell (Mar 07)
- RE: Re: VERY simple 'virtual' honeypot Chris Grout (Mar 07)
- Re: VERY simple 'virtual' honeypot Ian O'Brien (Mar 07)
- Re: VERY simple 'virtual' honeypot Glenn Forbes Fleming Larratt (Mar 07)
- Re: VERY simple 'virtual' honeypot Jim Forster (Mar 07)
- Re: VERY simple 'virtual' honeypot John Kinsella (Mar 07)
- Re: VERY simple 'virtual' honeypot Gideon Lenkey (Mar 08)
- Re: VERY simple 'virtual' honeypot Kerberus (Mar 08)
- RE: VERY simple 'virtual' honeypot Rick Francis (Mar 08)
- Re: VERY simple 'virtual' honeypot Edward Balas (Mar 08)
- Re: VERY simple 'virtual' honeypot Frank Knobbe (Mar 08)
- Re: VERY simple 'virtual' honeypot Frank Knobbe (Mar 08)
- Re: VERY simple 'virtual' honeypot James Hoagland (Mar 08)
- Re: VERY simple 'virtual' honeypot George Bakos (Mar 08)
- Re: VERY simple 'virtual' honeypot Martin Roesch (Mar 08)
- Re: VERY simple 'virtual' honeypot Jason Robertson (Mar 09)
- RE: VERY simple 'virtual' honeypot Ofir Arkin (Mar 09)
- Re: VERY simple 'virtual' honeypot Fyodor (Mar 09)
- RE: VERY simple 'virtual' honeypot Dan Hollis (Mar 09)
- RE: VERY simple 'virtual' honeypot Ryan Russell (Mar 09)
- RE: VERY simple 'virtual' honeypot Ofir Arkin (Mar 09)
(Thread continues...)
- Re: VERY simple 'virtual' honeypot Brian Caswell (Mar 07)