Re: VERY simple 'virtual' honeypot

[Frank Knobbe <fknobbe () knobbeits com>]

On Thu, 2002-03-07 at 22:34, Lance Spitzner wrote:
> However, I was just thinking, why bother deploying the box?
> Why not create a list of Snort rules that generate an alert
> whenever a TCP/SYN packet or UDP packet is sent to an IP
> address that has no system?  This could incidate a probe,
> scan or attack, the same principles of a honeypot, but
> without deploying an actual system.


Not really a long list. Here is what I use:

block tcp any any -> $UNUSED any (msg:"TCP Port Scan";)
block udp any any -> $UNUSED any (msg:"UDP Port Scan";)
block icmp any any -> $UNUSED any (msg:"ICMP Scan";)

$UNUSED includes all unused IP address, defined in snort.conf with
[x.x.x.a,x.x.x.b,x.x.x.c] etc.


Regards,
Frank

Attachment: signature.asc
Description: This is a digitally signed message part