Snort mailing list archives

RE: VERY simple 'virtual' honeypot

From: "Williams Jon" <WilliamsJon () JohnDeere com>
Date: Fri, 8 Mar 2002 11:09:08 -0600

Ah.  Here's a Snort performance warning.  It turns out that using the
[x.x.x.x/24,y.y.y.y/24] notation in snort is a real performance hog.  I ran
a test where I used tcpdump to capture 20 minutes of our production traffic
and then had snort read in that file.  When I used the [...] construct, it
took 113 minutes to process all 11,999,547 packets, but when I broke out
each net as follows:
   var HOME_NET 1.1.1.1/24
   var EXTERNAL !$HOME_NET
   include rules.conf
   var HOME_NET 2.2.2.2/24
   var EXTERNAL !$HOME_NET
   include rules.conf
   ...
   var HOME_NET x.x.x.x/24
it only took 32 minutes.  Basically, it took less time to process 7797 rules
in 1029 chain headers than it did to process 887 rules in 805 chain headers.

Jon

-----Original Message-----
From: Frank Knobbe [mailto:fknobbe () knobbeits com]
Sent: Friday, March 08, 2002 10:37 AM
To: Lance Spitzner
Cc: Snort-Users (E-mail); honeypots () securityfocus com
Subject: Re: [Snort-users] VERY simple 'virtual' honeypot


On Thu, 2002-03-07 at 22:34, Lance Spitzner wrote:

However, I was just thinking, why bother deploying the box?
Why not create a list of Snort rules that generate an alert
whenever a TCP/SYN packet or UDP packet is sent to an IP
address that has no system?  This could incidate a probe,
scan or attack, the same principles of a honeypot, but
without deploying an actual system.



Not really a long list. Here is what I use:

block tcp any any -> $UNUSED any (msg:"TCP Port Scan";)
block udp any any -> $UNUSED any (msg:"UDP Port Scan";)
block icmp any any -> $UNUSED any (msg:"ICMP Scan";)

$UNUSED includes all unused IP address, defined in snort.conf with
[x.x.x.a,x.x.x.b,x.x.x.c] etc.


Regards,
Frank



_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

RE: VERY simple 'virtual' honeypot, (continued)
- RE: VERY simple 'virtual' honeypot Alex Collins (Mar 08)
  - RE: VERY simple 'virtual' honeypot Michael Clark (Mar 08)
  - Re: RE: VERY simple 'virtual' honeypot Ashley Thomas (Mar 08)
    - Re: RE: VERY simple 'virtual' honeypot Ryan Russell (Mar 08)
    - Re: RE: VERY simple 'virtual' honeypot Ashley Thomas (Mar 08)
- RE: VERY simple 'virtual' honeypot Sawyer, John H. (Mar 08)
  - Re: RE: VERY simple 'virtual' honeypot Frank Knobbe (Mar 08)
- Re: VERY simple 'virtual' honeypot Marcus J. Ranum (Mar 08)
  - Re: VERY simple 'virtual' honeypot Rob Thomas (Mar 08)
- Re: VERY simple 'virtual' honeypot Dug Song (Mar 08)
- RE: VERY simple 'virtual' honeypot Williams Jon (Mar 08)
- Re: RE: VERY simple 'virtual' honeypot Davis Ray Sickmon, Jr (Mar 08)
- re: VERY simple 'virtual' honeypot Wynn Fenwick (Mar 09)