Re: VERY simple 'virtual' honeypot

["Kurt Seifried" <bugtraq () seifried org>]

> Most honeypots work on the same concept, a system that has no
> production activity.  You deploy a box that has no production
> value, any packets going to that box indicate a probe, scan, or
> attack.  This helps reduce both false positives and false
> negatives.  Exampls of such honeypots include BackOfficer Friendly,
> DTK, ManTrap, Specter, and Honeynets.
>
> However, I was just thinking, why bother deploying the box?
> Why not create a list of Snort rules that generate an alert
> whenever a TCP/SYN packet or UDP packet is sent to an IP
> address that has no system?  This could incidate a probe,
> scan or attack, the same principles of a honeypot, but
> without deploying an actual system.
>
> Of course this does not give you the Data Capture capabilites
> of a honeypot, as there is no system for the attacker to
> interact with.  However, this could be used to help detect
> scanning or probing activity.

Better yet have snort spoof a reply (i.e. pretend that a valid port is
there). Then the attacker comes back later for more giving you more
information and wasting more of their time. Then you get a bit of the best
of both worlds. I'm sure snort, portsentry or something similar could easily
be hacked up to do it. Alternative use port redirects on Linux/OpenBSD to
redirect stuff for unused networks to a "legit" server that will reply with
basic stuff.

> Thoughts?
>
> --
> Lance Spitzner
> http://project.honeynet.org



Kurt Seifried, kurt () seifried org
A15B BEE5 B391 B9AD B0EF
AEB0 AD63 0B4E AD56 E574
http://seifried.org/security/
http://www.idefense.com/digest.html



_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users