Snort mailing list archives
Re: RE: VERY simple 'virtual' honeypot
From: Ashley Thomas <athomas () unity ncsu edu>
Date: Fri, 8 Mar 2002 14:19:32 -0500 (EST)
Do you think it is a good idea for an IDS to send out packets (the fake packets) I would think that it is best if the IDS remains in the stealth mode without doing anything "active" Pls correct me if i am wrong. -ashley On Fri, 8 Mar 2002, Alex Collins wrote:
Of course this does not give you the Data Capture capabilites of a honeypot, as there is no system for the attacker to interact with. However, this could be used to help detect scanning or probing activity.Better yet have snort spoof a reply (i.e. pretend that a valid port is there). Then the attacker comes back later for more giving you more information and wasting more of their time. Then you get a bit of the best of both worlds. I'm sure snort, portsentry or something similar couldeasilybe hacked up to do it. Alternative use port redirects on Linux/OpenBSD to redirect stuff for unused networks to a "legit" server that will replywithbasic stuff.If you could craft a "reply" routine for snort, that could be actioned over a combination of packets, you could then define a range of actions that would be useful both from the perspective of a "responsive" IDS (e.g. TCP resets) and as a honeypot (e.g. acknowledge packets, send back banners) logging further packets that are received. If this was easily customisable, you could gain information for a wide range of systems & services, without needing to have legit honey pots for these. Alex Collins **************************************************************************** The information contained in this email is intended only for the use of the intended recipient at the email address to which it has been addressed. If the reader of this message is not an intended recipient, you are hereby notified that you have received this document in error and that any review, dissemination or copying of the message or associated attachments is strictly prohibited. If you have received this email in error, please contact the sender by return email or call 01793 877777 and ask for the sender and then delete it immediately from your system. Please note that neither Innogy nor the sender accepts any responsibility for viruses and it is your responsibility to scan attachments (if any). ***************************************************************************** _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Re: VERY simple 'virtual' honeypot, (continued)
- Re: VERY simple 'virtual' honeypot Jason Robertson (Mar 09)
- RE: VERY simple 'virtual' honeypot Ofir Arkin (Mar 09)
- Re: VERY simple 'virtual' honeypot Fyodor (Mar 09)
- RE: VERY simple 'virtual' honeypot Dan Hollis (Mar 09)
- RE: VERY simple 'virtual' honeypot Ryan Russell (Mar 09)
- RE: VERY simple 'virtual' honeypot Ofir Arkin (Mar 09)
- RE: VERY simple 'virtual' honeypot Ryan Russell (Mar 09)
- RE: VERY simple 'virtual' honeypot Earthlink (Mar 09)
- RE: VERY simple 'virtual' honeypot Alex Collins (Mar 08)
- RE: VERY simple 'virtual' honeypot Michael Clark (Mar 08)
- Re: RE: VERY simple 'virtual' honeypot Ashley Thomas (Mar 08)
- Re: RE: VERY simple 'virtual' honeypot Ryan Russell (Mar 08)
- Re: RE: VERY simple 'virtual' honeypot Ashley Thomas (Mar 08)
- Re: RE: VERY simple 'virtual' honeypot Frank Knobbe (Mar 08)
- Re: VERY simple 'virtual' honeypot Rob Thomas (Mar 08)