Re: RE: VERY simple 'virtual' honeypot

[Frank Knobbe <fknobbe () knobbeits com>]

On Fri, 2002-03-08 at 08:16, Sawyer, John H. wrote:
> What about incorporating LaBrea?  http://www.hackbusters.net/LaBrea/
>
> <SNIP>
> LaBrea is a program that creates a tarpit or, as some have called it, a
> "sticky honeypot". LaBrea takes over unused IP addresses on a network and
> creates "virtual machines" that answer to connection attempts. LaBrea
> answers those connection attempts in a way that causes the machine at the
> other end to get "stuck", sometimes for a very long time.
> </SNIP>
>
> It currently creates a "tarpit" to trap scans to IP's that aren't currently
> being used.  Maybe someone could come up with it a way make Snort and LaBrea
> work together.  Snort could handle all packet captures while LaBrea provides
> IP's for the attacker to get tangled.


While I love LaBrea, I think it's a bad idea to 'incorporate' into
Snort. It's a separate application, period. And it should run on a
separate box.  A lot of folks are running Snort on a stealth interface
and that would not be able to send the packets LaBrea sends to keep the
TCP 'alive'. Also, LaBrea creates bandwidth by trapping the TCP
connections, which can't be good for an IDS that is busy decoding
packets.

Also, Snort would have to be multi-threaded so that it can keep TCP
connections alive while at the same still doing its regular job.

An IDS is an IDS is an IDS....

I use LaBrea on one box and Snort (on a stealth interface/ro-cable) on
another box. Snort logs the scan attempts just fine, while LaBrea keeps
them tarpitted. The run fine in tandem, but on separate boxes.

Regards,
Frank

Attachment: signature.asc
Description: This is a digitally signed message part