Snort mailing list archives
Re: VERY simple 'virtual' honeypot
From: Martin Roesch <roesch () sourcefire com>
Date: Fri, 08 Mar 2002 22:23:21 -0500
A couple thoughts on the topic... 1) Just watching unused IP/port space with a set of rules is what I usually call "trap rules", rules that trap packets going places they shouldn't be. This is a poor man's honeypot and it's very good at picking up scans, port probes and general noise on the network. It's not all that great at doing the primary thing that honeypots are good at when used in a production role as network intrusion detection auxiliaries that let you gauge the intent of an attacker. The idea for trap rules came from a paper that Marcus Ranum wrote a year or two back about "playing the home field advantage" and using the knowledge of your network that you inherently have as the admin to setup monitoring capabilities that will monitor the dead spaces on a network. 2) For people with money, there's a product out there from a company called ForeScout that does active jamming of scanners. When I talk about active jamming, I'm referring to it in the electronic warfare sense. What ForeScout's product (ActiveScout) does is watch for scanning activity and send out false responses to project false targets back to an attacker performing recon. This works conceptually in the same way that some active radar jammers do, generating false targets at the attacker's workstation and causing havoc with his targeting (i.e. Finding out which targets are real so that you can launch an attack). I found this to be an extremely nifty idea although I don't know how well they've implemented it. It might be entertaining to modify the active response mechanisms in Snort to do something similar... For more info on these topics, search for various rants from me containing keywords like "production honeypot vs. research honeypot", "packet traps" and "no hardware no cry". :) -Marty On 3/7/02 11:34 PM, "Lance Spitzner" <lance () honeynet org> wrote:
Most honeypots work on the same concept, a system that has no production activity. You deploy a box that has no production value, any packets going to that box indicate a probe, scan, or attack. This helps reduce both false positives and false negatives. Exampls of such honeypots include BackOfficer Friendly, DTK, ManTrap, Specter, and Honeynets. However, I was just thinking, why bother deploying the box? Why not create a list of Snort rules that generate an alert whenever a TCP/SYN packet or UDP packet is sent to an IP address that has no system? This could incidate a probe, scan or attack, the same principles of a honeypot, but without deploying an actual system. Of course this does not give you the Data Capture capabilites of a honeypot, as there is no system for the attacker to interact with. However, this could be used to help detect scanning or probing activity. Thoughts?
-- Martin Roesch - Founder/CEO Sourcefire Inc. - (410) 552-6999 Sourcefire: Professional Snort Sensor and Management Console appliances roesch () sourcefire com - http://www.sourcefire.com Snort: Open Source Network IDS - http://www.snort.org _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Re: VERY simple 'virtual' honeypot, (continued)
- Re: VERY simple 'virtual' honeypot Jim Forster (Mar 07)
- Re: VERY simple 'virtual' honeypot John Kinsella (Mar 07)
- Re: VERY simple 'virtual' honeypot Gideon Lenkey (Mar 08)
- Re: VERY simple 'virtual' honeypot Kerberus (Mar 08)
- RE: VERY simple 'virtual' honeypot Rick Francis (Mar 08)
- Re: VERY simple 'virtual' honeypot Edward Balas (Mar 08)
- Re: VERY simple 'virtual' honeypot Frank Knobbe (Mar 08)
- Re: VERY simple 'virtual' honeypot Frank Knobbe (Mar 08)
- Re: VERY simple 'virtual' honeypot James Hoagland (Mar 08)
- Re: VERY simple 'virtual' honeypot George Bakos (Mar 08)
- Re: VERY simple 'virtual' honeypot Martin Roesch (Mar 08)
- Re: VERY simple 'virtual' honeypot Jason Robertson (Mar 09)
- RE: VERY simple 'virtual' honeypot Ofir Arkin (Mar 09)
- Re: VERY simple 'virtual' honeypot Fyodor (Mar 09)
- RE: VERY simple 'virtual' honeypot Dan Hollis (Mar 09)
- RE: VERY simple 'virtual' honeypot Ryan Russell (Mar 09)
- RE: VERY simple 'virtual' honeypot Ofir Arkin (Mar 09)
- RE: VERY simple 'virtual' honeypot Ryan Russell (Mar 09)
- RE: VERY simple 'virtual' honeypot Earthlink (Mar 09)
- RE: VERY simple 'virtual' honeypot Alex Collins (Mar 08)
- RE: VERY simple 'virtual' honeypot Michael Clark (Mar 08)