Snort mailing list archives
Using an IDS to redirect hostile traffic to a Honeypot
From: "Jack Whitsitt (jofny)" <seclists () violating us>
Date: Sat, 22 Feb 2003 21:33:40 -0500 (EST)
All: For a few months I've been looking for a more interesting way to make an IDS interactive than just dropping route or resetting sessions. What we've come up with is some code for linux that will, in combination with snort, actively redirect traffic from hostile sourceIP's to a honeypot. Using this system, you can set up a production server and a honeypot - both with the same IP (and potentially the same MAC) address - behind a gateway box and let snort decide which machine the traffic goes to. Files and information can be found at: http://violating.us/projects/baitnswitch/ or http://baitnswitch.sourceforge.net There are certain things I need to point out: 1. B&S does not mirror session state right now. There are important non-technical reasons for *not* doing so, but we're looking into resolving them over the next few months. 2. Your snort ruleset on the gateway/routing box needs to be very specific and very toned down. It's not meant to be your primary IDS and it's not meant to replace a good firewall. It is an *additional* layer of network security. In recent emails I've seen talk about honeytokens. This would be a very good way to react to seeing those tokens pass through your system. You should never see xxxx.doc or "root" pass through your traffic? Redirect the source IP to your honeypot. 3. This is for information that people are going to make repeated attempts against. This is not good for your scan-the-world kids. However, since it does drop all sessions from the hostile source IP, you're not worse off than you are than if you're just dropping route. In fact, you can potentially gain more information about the intruder if they choose to return - they'll be going to your honeypot now. 4. The code is listed as beta, but that is mostly due to configuration and interface features I'd like to add in the short-term. The code works with no known bugs as-is, although we're going to harden the code in the next releases. Those things said, hopefully this system will be useful to some people or (at the very least) provide some interesting suggestions as to how IDS's and Honeypot technology can be combined. Have a good day - Jack Whitsitt (jofny) (I apologize if this got sent twice. I just found a small bug in the webmail software I use) ------------------------------------------- xaphan () violating us | electr0n () violating us Violating Networks http://www.violating.us ------------------------------------------- ------------------------------------------------------- This SF.net email is sponsored by: SlickEdit Inc. Develop an edge. The most comprehensive and flexible code editor you can use. Code faster. C/C++, C#, Java, HTML, XML, many more. FREE 30-Day Trial. www.slickedit.com/sourceforge _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Using an IDS to redirect hostile traffic to a Honeypot Jack Whitsitt (jofny) (Feb 22)
- <Possible follow-ups>
- Using an IDS to redirect hostile traffic to a Honeypot Jack Whitsitt (jofny) (Feb 24)