Snort mailing list archives
RE: VERY simple 'virtual' honeypot
From: "Thomas Porter, Ph.D." <tporter () dtool com>
Date: Fri, 8 Mar 2002 00:12:03 -0500
Doesn't Labrae work on this principal? Thomas Porter, Ph.D. ScorpionPoint Security -----Original Message----- From: Kurt Seifried [mailto:bugtraq () seifried org] Sent: Thursday, March 07, 2002 11:48 PM To: Lance Spitzner; Snort-Users (E-mail); honeypots () securityfocus com Subject: Re: VERY simple 'virtual' honeypot
Most honeypots work on the same concept, a system that has no production activity. You deploy a box that has no production value, any packets going to that box indicate a probe, scan, or attack. This
helps reduce both false positives and false negatives. Exampls of such honeypots include BackOfficer Friendly, DTK, ManTrap, Specter, and Honeynets. However, I was just thinking, why bother deploying the box? Why not create a list of Snort rules that generate an alert whenever a TCP/SYN
packet or UDP packet is sent to an IP address that has no system? This could incidate a probe, scan or attack, the same principles of a honeypot, but without deploying an actual system. Of course this does not give you the Data Capture capabilites of a honeypot, as there is no system for the attacker to interact with. However, this could be used to help detect scanning or probing activity.
Better yet have snort spoof a reply (i.e. pretend that a valid port is there). Then the attacker comes back later for more giving you more information and wasting more of their time. Then you get a bit of the best of both worlds. I'm sure snort, portsentry or something similar could easily be hacked up to do it. Alternative use port redirects on Linux/OpenBSD to redirect stuff for unused networks to a "legit" server that will reply with basic stuff.
Thoughts? -- Lance Spitzner http://project.honeynet.org
Kurt Seifried, kurt () seifried org A15B BEE5 B391 B9AD B0EF AEB0 AD63 0B4E AD56 E574 http://seifried.org/security/ http://www.idefense.com/digest.html --------------------------------------------------------------------- To unsubscribe, e-mail: honeypots-unsubscribe () securityfocus com For additional commands, e-mail: honeypots-help () securityfocus com --------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities. Please, see: https://alerts.securityfocus.com/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- VERY simple 'virtual' honeypot Lance Spitzner (Mar 07)
- Re: VERY simple 'virtual' honeypot Kurt Seifried (Mar 07)
- RE: VERY simple 'virtual' honeypot Thomas Porter, Ph.D. (Mar 07)
- Re: VERY simple 'virtual' honeypot Kurt Seifried (Mar 07)
- Re: VERY simple 'virtual' honeypot David Watson (Mar 08)
- Re: VERY simple 'virtual' honeypot nfudd (Mar 08)
- RE: VERY simple 'virtual' honeypot Thomas Porter, Ph.D. (Mar 07)
- Re: VERY simple 'virtual' honeypot Brian Caswell (Mar 07)
- RE: Re: VERY simple 'virtual' honeypot Chris Grout (Mar 07)
- Re: VERY simple 'virtual' honeypot Ian O'Brien (Mar 07)
- Re: VERY simple 'virtual' honeypot Glenn Forbes Fleming Larratt (Mar 07)
- Re: VERY simple 'virtual' honeypot Jim Forster (Mar 07)
- Re: VERY simple 'virtual' honeypot John Kinsella (Mar 07)
- Re: VERY simple 'virtual' honeypot Gideon Lenkey (Mar 08)
(Thread continues...)
- Re: VERY simple 'virtual' honeypot Kurt Seifried (Mar 07)