Snort mailing list archives

RE: VERY simple 'virtual' honeypot

From: "Ofir Arkin" <ofir () sys-security com>
Date: Sat, 9 Mar 2002 12:51:43 -0000

Lance, 

In my opinion it will be missing the main point of a Honeynet.

We all know that we can cut the foreplay pretty fast (scanning, probing)
and hit the site with an exploit even without the scanning attempt (read
this in the context :P). But than what? Exploit fails, not much
information gained, and we miss the funny part.

Just my thoughts. 

Ofir Arkin [ofir () sys-security com]
Founder
The Sys-Security Group
http://www.sys-security.com
PGP CC2C BE53 12C6 C9F2 87B1 B8C6 0DFA CF2D D360 43FA  

-----Original Message-----
From: snort-users-admin () lists sourceforge net
[mailto:snort-users-admin () lists sourceforge net] On Behalf Of Lance
Spitzner
Sent: 08 March 2002 04:34
To: Snort-Users (E-mail); honeypots () securityfocus com
Subject: [Snort-users] VERY simple 'virtual' honeypot

Most honeypots work on the same concept, a system that has no
production activity.  You deploy a box that has no production
value, any packets going to that box indicate a probe, scan, or
attack.  This helps reduce both false positives and false
negatives.  Exampls of such honeypots include BackOfficer Friendly,
DTK, ManTrap, Specter, and Honeynets.

However, I was just thinking, why bother deploying the box?
Why not create a list of Snort rules that generate an alert
whenever a TCP/SYN packet or UDP packet is sent to an IP
address that has no system?  This could incidate a probe,
scan or attack, the same principles of a honeypot, but
without deploying an actual system.

Of course this does not give you the Data Capture capabilites
of a honeypot, as there is no system for the attacker to
interact with.  However, this could be used to help detect
scanning or probing activity.

Thoughts?

-- 
Lance Spitzner
http://project.honeynet.org


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users



_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Re: VERY simple 'virtual' honeypot, (continued)
- Re: VERY simple 'virtual' honeypot Gideon Lenkey (Mar 08)
  - Re: VERY simple 'virtual' honeypot Kerberus (Mar 08)
- RE: VERY simple 'virtual' honeypot Rick Francis (Mar 08)
- Re: VERY simple 'virtual' honeypot Edward Balas (Mar 08)
- Re: VERY simple 'virtual' honeypot Frank Knobbe (Mar 08)
- Re: VERY simple 'virtual' honeypot Frank Knobbe (Mar 08)
- Re: VERY simple 'virtual' honeypot James Hoagland (Mar 08)
- Re: VERY simple 'virtual' honeypot George Bakos (Mar 08)
- Re: VERY simple 'virtual' honeypot Martin Roesch (Mar 08)
  - Re: VERY simple 'virtual' honeypot Jason Robertson (Mar 09)
- RE: VERY simple 'virtual' honeypot Ofir Arkin (Mar 09)
  - Re: VERY simple 'virtual' honeypot Fyodor (Mar 09)
  - RE: VERY simple 'virtual' honeypot Dan Hollis (Mar 09)
  - RE: VERY simple 'virtual' honeypot Ryan Russell (Mar 09)
    - RE: VERY simple 'virtual' honeypot Ofir Arkin (Mar 09)
    - RE: VERY simple 'virtual' honeypot Ryan Russell (Mar 09)
    - RE: VERY simple 'virtual' honeypot Earthlink (Mar 09)
- RE: VERY simple 'virtual' honeypot Alex Collins (Mar 08)
  - RE: VERY simple 'virtual' honeypot Michael Clark (Mar 08)
  - Re: RE: VERY simple 'virtual' honeypot Ashley Thomas (Mar 08)
    - Re: RE: VERY simple 'virtual' honeypot Ryan Russell (Mar 08)

(Thread continues...)