Snort mailing list archives
re: VERY simple 'virtual' honeypot
From: Wynn Fenwick <wfenwick () FHLSim com>
Date: Sat, 09 Mar 2002 14:55:05 -0500
An excellent discussion... I'm learning a lot. It seems to me that a honeypot is primarily a research tool, for analysis of stimulus/response and to study the relationship between types of compound attacks and the threat level to which these compound attacks correlate. It's easy to make that correlation with single, simple vulnerability exploits. When many small exploits of vulnerabilities snowball into a complex attack, it's really hard. This is what Honeypots are good at linking together with the data they provide. Reasearch Honeypots are one of those things definitely in the "nice to have" for most mortal organizations unless they are actively involved in security superhero R&D. Most organizations have enough trouble getting firewall rules maintained, and staffing funded to maintain the preventative infrastructure, IMHO. I could see selling the idea of a Labrea-ish Honeypot to make them skate in cheese a bit, but the cost/benefit would be very hard to prove to management. It might increase the latency between a scan and a real attack in time for someone to react/prevent against the attack more effectively, but how do you prove that in Powerpoint? The stuff Marty is talking about doing is more of an tactical obfuscation tool - a safeguard which reduces the risk of an outsider identifying the type of safeguard actually in place. Creating entropy in the reachablility profile data of a network would simply obfuscate the network landscape from the outside. It's like publishing intentional erroneous topographical maps, assuming the enemy would use that to create their battle plan, and no other intel they gathered. This works until the attacker knows that this information is bogus, and they then need use other sources of information. You've simply told them "hey we're running a jammer here", and no one will trust the information gleaned from an external network reachability profiler. It will keep the kiddies busy...and increase the cost of the information to the attacker. As one client says "if there is bang for the buck, let's do it"... low cost to us creating high cost to the attacker is a Good Thing. I think this would be better as a separate tool rather than bound to my IDS, which I prefer to thnk of as a passive I&W system. However, I can see implementing this and getting "bang for the buck", if I was ever going to implement active response in my IDS. Total donation: C$0.02 W snort-users-request () lists sourceforge net wrote:
Subject: Re: [Snort-users] VERY simple 'virtual' honeypot Date: Sat, 9 Mar 2002 11:16:43 -0500 From: "Jason Robertson" <jason () ifuture com> Organization: iFuture Inc. To: <snort-users () lists sourceforge net> References: <Pine.LNX.4.30.0203072228320.25075-100000 () marge spitzner net> Anyways I don't know if I will be stepping on anyones feet, so if I am.. I hope you are wearing steel-toed boots.. Because this comfy gov't job has made me fat and.... oh okay, enough with the joking at my expense. Anyways, isn't the purpose of a honeynet not only to monitor attempted traffic, but to monitor direct attacks and to attain evidence when a person has breached the security of a machine or network? What evidence do you have that they portscanned your machine? especially if they break into the system anyways. The purpose of a honeypot, is to give an idea of a vulnerable system, to see what they do. Some of these various analysis of some of these trojans, and rootkits wouldn't exists without the use of honeypots, since these machines give just enough access to allow someone to gain access and to put all kinds of backholes into the system, but not enough to actually be useful. Jason On 8 Mar 2002 at 22:23, Martin Roesch wrote: Date sent: Fri, 08 Mar 2002 22:23:21 -0500 Subject: Re: [Snort-users] VERY simple 'virtual' honeypot From: Martin Roesch <roesch () sourcefire com> To: Lance Spitzner <lance () honeynet org>, "Snort-Users (E-mail)" <snort-users () lists sourceforge net>, <honeypots () securityfocus com>A couple thoughts on the topic... 1) Just watching unused IP/port space with a set of rules is what I usually call "trap rules", rules that trap packets going places they shouldn't be. This is a poor man's honeypot and it's very good at picking up scans, port probes and general noise on the network. It's not all that great at doing the primary thing that honeypots are good at when used in a production role as network intrusion detection auxiliaries that let you gauge the intent of an attacker. The idea for trap rules came from a paper that Marcus Ranum wrote a year or two back about "playing the home field advantage" and using the knowledge of your network that you inherently have as the admin to setup monitoring capabilities that will monitor the dead spaces on a network. 2) For people with money, there's a product out there from a company called ForeScout that does active jamming of scanners. When I talk about active jamming, I'm referring to it in the electronic warfare sense. What ForeScout's product (ActiveScout) does is watch for scanning activity and send out false responses to project false targets back to an attacker performing recon. This works conceptually in the same way that some active radar jammers do, generating false targets at the attacker's workstation and causing havoc with his targeting (i.e. Finding out which targets are real so that you can launch an attack). I found this to be an extremely nifty idea although I don't know how well they've implemented it. It might be entertaining to modify the active response mechanisms in Snort to do something similar... For more info on these topics, search for various rants from me containing keywords like "production honeypot vs. research honeypot", "packet traps" and "no hardware no cry". :) -Marty
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Re: RE: VERY simple 'virtual' honeypot, (continued)
- Re: RE: VERY simple 'virtual' honeypot Ashley Thomas (Mar 08)
- Re: RE: VERY simple 'virtual' honeypot Ryan Russell (Mar 08)
- Re: RE: VERY simple 'virtual' honeypot Ashley Thomas (Mar 08)
- Re: RE: VERY simple 'virtual' honeypot Ashley Thomas (Mar 08)
- RE: VERY simple 'virtual' honeypot Sawyer, John H. (Mar 08)
- Re: RE: VERY simple 'virtual' honeypot Frank Knobbe (Mar 08)
- Re: VERY simple 'virtual' honeypot Marcus J. Ranum (Mar 08)
- Re: VERY simple 'virtual' honeypot Rob Thomas (Mar 08)
- Re: VERY simple 'virtual' honeypot Dug Song (Mar 08)
- RE: VERY simple 'virtual' honeypot Williams Jon (Mar 08)
- Re: RE: VERY simple 'virtual' honeypot Davis Ray Sickmon, Jr (Mar 08)
- re: VERY simple 'virtual' honeypot Wynn Fenwick (Mar 09)