Snort mailing list archives
Re: RE: VERY simple 'virtual' honeypot
From: Frank Knobbe <fknobbe () knobbeits com>
Date: 08 Mar 2002 10:26:55 -0600
On Fri, 2002-03-08 at 08:16, Sawyer, John H. wrote:
What about incorporating LaBrea? http://www.hackbusters.net/LaBrea/ <SNIP> LaBrea is a program that creates a tarpit or, as some have called it, a "sticky honeypot". LaBrea takes over unused IP addresses on a network and creates "virtual machines" that answer to connection attempts. LaBrea answers those connection attempts in a way that causes the machine at the other end to get "stuck", sometimes for a very long time. </SNIP> It currently creates a "tarpit" to trap scans to IP's that aren't currently being used. Maybe someone could come up with it a way make Snort and LaBrea work together. Snort could handle all packet captures while LaBrea provides IP's for the attacker to get tangled.
While I love LaBrea, I think it's a bad idea to 'incorporate' into Snort. It's a separate application, period. And it should run on a separate box. A lot of folks are running Snort on a stealth interface and that would not be able to send the packets LaBrea sends to keep the TCP 'alive'. Also, LaBrea creates bandwidth by trapping the TCP connections, which can't be good for an IDS that is busy decoding packets. Also, Snort would have to be multi-threaded so that it can keep TCP connections alive while at the same still doing its regular job. An IDS is an IDS is an IDS.... I use LaBrea on one box and Snort (on a stealth interface/ro-cable) on another box. Snort logs the scan attempts just fine, while LaBrea keeps them tarpitted. The run fine in tandem, but on separate boxes. Regards, Frank
Attachment:
signature.asc
Description: This is a digitally signed message part
Current thread:
- RE: VERY simple 'virtual' honeypot, (continued)
- RE: VERY simple 'virtual' honeypot Ryan Russell (Mar 09)
- RE: VERY simple 'virtual' honeypot Ofir Arkin (Mar 09)
- RE: VERY simple 'virtual' honeypot Ryan Russell (Mar 09)
- RE: VERY simple 'virtual' honeypot Earthlink (Mar 09)
- RE: VERY simple 'virtual' honeypot Ryan Russell (Mar 09)
- RE: VERY simple 'virtual' honeypot Alex Collins (Mar 08)
- RE: VERY simple 'virtual' honeypot Michael Clark (Mar 08)
- Re: RE: VERY simple 'virtual' honeypot Ashley Thomas (Mar 08)
- Re: RE: VERY simple 'virtual' honeypot Ryan Russell (Mar 08)
- Re: RE: VERY simple 'virtual' honeypot Ashley Thomas (Mar 08)
- Re: RE: VERY simple 'virtual' honeypot Frank Knobbe (Mar 08)
- Re: VERY simple 'virtual' honeypot Rob Thomas (Mar 08)