Re: VERY simple 'virtual' honeypot

[Fyodor <fygrave () tigerteam net>]

Ofir Arkin <ofir () sys-security com> spoke:
> Lance, 
>
> In my opinion it will be missing the main point of a Honeynet.
>
> We all know that we can cut the foreplay pretty fast (scanning, probing)
> and hit the site with an exploit even without the scanning attempt (read
> this in the context :P). But than what? Exploit fails, not much
> information gained, and we miss the funny part.
>
> address that has no system?  This could incidate a probe,
> scan or attack, the same principles of a honeypot, but
> without deploying an actual system.

No, you actually would miss the most interesting part here: aside from
knowing what is being scanned for, we usually also want to know which
vulnerabilities are being exploited. This you get by
reverse-enigineering the byte stream off the wire when an attack took
place. If you don't have any system/service running, you won't see the
interesting part :-) (very a few kids in the wild would run their warez
on IP addresses which they are even unsure whether these are up ;-)),
and even if they do, a smart TCP/IP stack implementation won't start
sending data stream, unless an ack has been received ;-))

What could be an option here is to 'emulate' a tcp/ip stack on the wire,
by sniffing requests to non-existant IP addresses, and spoofing
responses. This would be a kick-ass pot since no matter whichever IP
address you'd try to hit, or whichever service, you'd always get a
response back :-) (add some random packet 'drops' here, so 'all host/all
ports' picture wouldn't look that suspicious ;-))


just my B.02 worth comments ;-)

-Fyodor

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users