Snort mailing list archives

RE: VERY simple 'virtual' honeypot

From: Ryan Russell <ryan () securityfocus com>
Date: Sat, 9 Mar 2002 12:40:08 -0700 (MST)

On Sat, 9 Mar 2002, Ofir Arkin wrote:

You get to pull the attack of the wire only if they complete it...


True.

If they will not get the right response no attack will be performed.


Only if a response is required.  You certainly won't get everything, but
you can get a lot by simply completing a TCP handshake.  Most of the
exploits and malicious code out there are not very careful.  Few coders
bother to have their code check for appropriate responses.  Code Blue is
one of the few worms I've seen that bothers to check what brand web server
it has found, for example.

If the aim is to generate responses than you need to have a real
intelligence engine to produce them in a way the engine itself will not
get fingerprinted.


The more you can simulate, the more you will catch.  Some of the people I
work with developed a product called CyberCop Sting a while ago.  It does
things like emulate different OSes, applications, etc..  supposedly, it
would even emulate the IP stack well enough that the OS fingerprinting
would work.  (At least for nmap, we'd have to have you try ICMP, eh?)

Sadly, NAI seems to have dropped it.  Maybe they will free it some day.
Anwyay, that's the kind of tool I'd ultimately like to see for this
purpose.

Also, it is more interesting, in my opinion, to simulate real world
production environment style to Honeynets rather than a virtual one with
less functionality.


Again, I think this speaks to the multiple purposes for honeypots.  For
some people, profiling baseline attack traffic may be more important, and
actually making a hacker busybox may be counterproductive.  Not that I
don't agree that it would probably be more interesting, it's just not
always the ultimate goal.

                                        Ryan


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Re: VERY simple 'virtual' honeypot, (continued)
- Re: VERY simple 'virtual' honeypot Frank Knobbe (Mar 08)
- Re: VERY simple 'virtual' honeypot James Hoagland (Mar 08)
- Re: VERY simple 'virtual' honeypot George Bakos (Mar 08)
- Re: VERY simple 'virtual' honeypot Martin Roesch (Mar 08)
  - Re: VERY simple 'virtual' honeypot Jason Robertson (Mar 09)
- RE: VERY simple 'virtual' honeypot Ofir Arkin (Mar 09)
  - Re: VERY simple 'virtual' honeypot Fyodor (Mar 09)
  - RE: VERY simple 'virtual' honeypot Dan Hollis (Mar 09)
  - RE: VERY simple 'virtual' honeypot Ryan Russell (Mar 09)
    - RE: VERY simple 'virtual' honeypot Ofir Arkin (Mar 09)
    - RE: VERY simple 'virtual' honeypot Ryan Russell (Mar 09)
    - RE: VERY simple 'virtual' honeypot Earthlink (Mar 09)
- RE: VERY simple 'virtual' honeypot Alex Collins (Mar 08)
  - RE: VERY simple 'virtual' honeypot Michael Clark (Mar 08)
  - Re: RE: VERY simple 'virtual' honeypot Ashley Thomas (Mar 08)
    - Re: RE: VERY simple 'virtual' honeypot Ryan Russell (Mar 08)
    - Re: RE: VERY simple 'virtual' honeypot Ashley Thomas (Mar 08)
- RE: VERY simple 'virtual' honeypot Sawyer, John H. (Mar 08)
  - Re: RE: VERY simple 'virtual' honeypot Frank Knobbe (Mar 08)
- Re: VERY simple 'virtual' honeypot Marcus J. Ranum (Mar 08)
  - Re: VERY simple 'virtual' honeypot Rob Thomas (Mar 08)

(Thread continues...)