Snort mailing list archives

RE: VERY simple 'virtual' honeypot

From: Alex Collins <ALEX.COLLINS () INNOGY COM>
Date: Fri, 8 Mar 2002 09:33:13 -0000

Of course this does not give you the Data Capture capabilites
of a honeypot, as there is no system for the attacker to
interact with.  However, this could be used to help detect
scanning or probing activity.


Better yet have snort spoof a reply (i.e. pretend that a valid port is
there). Then the attacker comes back later for more giving you more
information and wasting more of their time. Then you get a bit of the best
of both worlds. I'm sure snort, portsentry or something similar could

easily

be hacked up to do it. Alternative use port redirects on Linux/OpenBSD to
redirect stuff for unused networks to a "legit" server that will reply

with

basic stuff.


If you could craft a "reply" routine for snort, that could be actioned over
a combination of packets, you could then define a range of actions that
would be useful both from the perspective of a "responsive" IDS (e.g. TCP
resets) and as a honeypot (e.g. acknowledge packets, send back banners)
logging further packets that are received.

If this was easily customisable, you could gain information for a wide range
of systems & services, without needing to have legit honey pots for these.

Alex Collins


****************************************************************************
The information contained in this email is intended only for the 
use of the intended recipient at the email address to which it 
has been addressed. If the reader of this message is not an 
intended recipient, you are hereby notified that you have received 
this document in error and that any review, dissemination or
copying of the message or associated attachments is strictly 
prohibited.

If you have received this email in error, please contact the sender
by return email or call 01793 877777 and ask for the sender and 
then delete it immediately from your system.

Please note that neither Innogy nor the sender accepts any 
responsibility for viruses and it is your responsibility to scan 
attachments (if any).
*****************************************************************************


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Re: VERY simple 'virtual' honeypot, (continued)
- Re: VERY simple 'virtual' honeypot George Bakos (Mar 08)
- Re: VERY simple 'virtual' honeypot Martin Roesch (Mar 08)
  - Re: VERY simple 'virtual' honeypot Jason Robertson (Mar 09)
- RE: VERY simple 'virtual' honeypot Ofir Arkin (Mar 09)
  - Re: VERY simple 'virtual' honeypot Fyodor (Mar 09)
  - RE: VERY simple 'virtual' honeypot Dan Hollis (Mar 09)
  - RE: VERY simple 'virtual' honeypot Ryan Russell (Mar 09)
    - RE: VERY simple 'virtual' honeypot Ofir Arkin (Mar 09)
    - RE: VERY simple 'virtual' honeypot Ryan Russell (Mar 09)
    - RE: VERY simple 'virtual' honeypot Earthlink (Mar 09)
- RE: VERY simple 'virtual' honeypot Alex Collins (Mar 08)
  - RE: VERY simple 'virtual' honeypot Michael Clark (Mar 08)
  - Re: RE: VERY simple 'virtual' honeypot Ashley Thomas (Mar 08)
    - Re: RE: VERY simple 'virtual' honeypot Ryan Russell (Mar 08)
    - Re: RE: VERY simple 'virtual' honeypot Ashley Thomas (Mar 08)
- RE: VERY simple 'virtual' honeypot Sawyer, John H. (Mar 08)
  - Re: RE: VERY simple 'virtual' honeypot Frank Knobbe (Mar 08)
- Re: VERY simple 'virtual' honeypot Marcus J. Ranum (Mar 08)
  - Re: VERY simple 'virtual' honeypot Rob Thomas (Mar 08)
- Re: VERY simple 'virtual' honeypot Dug Song (Mar 08)
- RE: VERY simple 'virtual' honeypot Williams Jon (Mar 08)

(Thread continues...)