Snort mailing list archives
Re: VERY simple 'virtual' honeypot
From: Fyodor <fygrave () tigerteam net>
Date: Sat, 9 Mar 2002 19:54:18 +0700
Ofir Arkin <ofir () sys-security com> spoke:
Lance, In my opinion it will be missing the main point of a Honeynet. We all know that we can cut the foreplay pretty fast (scanning, probing) and hit the site with an exploit even without the scanning attempt (read this in the context :P). But than what? Exploit fails, not much information gained, and we miss the funny part. address that has no system? This could incidate a probe, scan or attack, the same principles of a honeypot, but without deploying an actual system.
No, you actually would miss the most interesting part here: aside from knowing what is being scanned for, we usually also want to know which vulnerabilities are being exploited. This you get by reverse-enigineering the byte stream off the wire when an attack took place. If you don't have any system/service running, you won't see the interesting part :-) (very a few kids in the wild would run their warez on IP addresses which they are even unsure whether these are up ;-)), and even if they do, a smart TCP/IP stack implementation won't start sending data stream, unless an ack has been received ;-)) What could be an option here is to 'emulate' a tcp/ip stack on the wire, by sniffing requests to non-existant IP addresses, and spoofing responses. This would be a kick-ass pot since no matter whichever IP address you'd try to hit, or whichever service, you'd always get a response back :-) (add some random packet 'drops' here, so 'all host/all ports' picture wouldn't look that suspicious ;-)) just my B.02 worth comments ;-) -Fyodor _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Re: VERY simple 'virtual' honeypot, (continued)
- Re: VERY simple 'virtual' honeypot Kerberus (Mar 08)
- RE: VERY simple 'virtual' honeypot Rick Francis (Mar 08)
- Re: VERY simple 'virtual' honeypot Edward Balas (Mar 08)
- Re: VERY simple 'virtual' honeypot Frank Knobbe (Mar 08)
- Re: VERY simple 'virtual' honeypot Frank Knobbe (Mar 08)
- Re: VERY simple 'virtual' honeypot James Hoagland (Mar 08)
- Re: VERY simple 'virtual' honeypot George Bakos (Mar 08)
- Re: VERY simple 'virtual' honeypot Martin Roesch (Mar 08)
- Re: VERY simple 'virtual' honeypot Jason Robertson (Mar 09)
- RE: VERY simple 'virtual' honeypot Ofir Arkin (Mar 09)
- Re: VERY simple 'virtual' honeypot Fyodor (Mar 09)
- RE: VERY simple 'virtual' honeypot Dan Hollis (Mar 09)
- RE: VERY simple 'virtual' honeypot Ryan Russell (Mar 09)
- RE: VERY simple 'virtual' honeypot Ofir Arkin (Mar 09)
- RE: VERY simple 'virtual' honeypot Ryan Russell (Mar 09)
- RE: VERY simple 'virtual' honeypot Earthlink (Mar 09)
- RE: VERY simple 'virtual' honeypot Alex Collins (Mar 08)
- RE: VERY simple 'virtual' honeypot Michael Clark (Mar 08)
- Re: RE: VERY simple 'virtual' honeypot Ashley Thomas (Mar 08)
- Re: RE: VERY simple 'virtual' honeypot Ryan Russell (Mar 08)
- Re: RE: VERY simple 'virtual' honeypot Ashley Thomas (Mar 08)