Snort mailing list archives
Re: VERY simple 'virtual' honeypot
From: Brian Caswell <bmc () mitre org>
Date: Thu, 7 Mar 2002 23:54:50 -0500
On Thu, Mar 07, 2002 at 10:34:16PM -0600, Lance Spitzner wrote:
However, I was just thinking, why bother deploying the box? Why not create a list of Snort rules that generate an alert whenever a TCP/SYN packet or UDP packet is sent to an IP address that has no system? This could incidate a probe, scan or attack, the same principles of a honeypot, but without deploying an actual system.
Heck, for those of us with nazi firewalls, those will do just fine. If you use PF [0], you can log all incoming blocked packets and then view them with Snort (with a small patch) or tcpdump. Thats cheaper than wasting an IP, and most people that would run a honeypot already watch their firewall logs. [0] there is probably something like that in linux, but the only thing I use linux for is building RPMs of snort :) -brian _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- VERY simple 'virtual' honeypot Lance Spitzner (Mar 07)
- Re: VERY simple 'virtual' honeypot Kurt Seifried (Mar 07)
- RE: VERY simple 'virtual' honeypot Thomas Porter, Ph.D. (Mar 07)
- Re: VERY simple 'virtual' honeypot Kurt Seifried (Mar 07)
- Re: VERY simple 'virtual' honeypot David Watson (Mar 08)
- Re: VERY simple 'virtual' honeypot nfudd (Mar 08)
- RE: VERY simple 'virtual' honeypot Thomas Porter, Ph.D. (Mar 07)
- Re: VERY simple 'virtual' honeypot Brian Caswell (Mar 07)
- RE: Re: VERY simple 'virtual' honeypot Chris Grout (Mar 07)
- Re: VERY simple 'virtual' honeypot Ian O'Brien (Mar 07)
- Re: VERY simple 'virtual' honeypot Glenn Forbes Fleming Larratt (Mar 07)
- Re: VERY simple 'virtual' honeypot Jim Forster (Mar 07)
- Re: VERY simple 'virtual' honeypot John Kinsella (Mar 07)
- Re: VERY simple 'virtual' honeypot Gideon Lenkey (Mar 08)
- Re: VERY simple 'virtual' honeypot Kerberus (Mar 08)
- RE: VERY simple 'virtual' honeypot Rick Francis (Mar 08)
- Re: VERY simple 'virtual' honeypot Edward Balas (Mar 08)
- Re: VERY simple 'virtual' honeypot Frank Knobbe (Mar 08)
(Thread continues...)
- Re: VERY simple 'virtual' honeypot Kurt Seifried (Mar 07)