Snort mailing list archives
IDS and Honeypots
From: dreamwvr () dreamwvr ca
Date: Sun, 10 Mar 2002 07:47:57 -0700
On Fri, Mar 08, 2002 at 06:15:07AM -0800, +snort-users-request () lists sourceforge net wrote:
Of course this does not give you the Data Capture capabilites of a honeypot, as there is no system for the attacker to interact with. However, this could be used to help detect scanning or probing activity. Thoughts?
Hi, Well Maybe/Maybe not it depends. One way it could be integrated. Add a optional method/function that handles a response to the injected attack string. Then return the expected result. Then Snort adds this to the rule syntax. voila. IOW it if need be opens a rand socket that is not bidirectional and injects the response or something like that.. That would work for UDP anyhow.. TCP well then you need to complete the triple play. However it could be handled in a simular fashion. that way it might narrow the exact characteristics of a threat for better analysis. The concept of the virtual machine comes to mind however the sandbox would need to be somthing like a write once cd for example. Well need coffee very_badly bye. Best Regards, dreamwvr () dreamwvr com -- /* Security is a work in progress - dreamwvr */ # # Note: To begin Journey type man afterboot,man help,man hier[.] # // "Who's Afraid of Schrodinger's Cat?" /var/(.)?mail/me \? ;-]
Current thread:
- IDS and Honeypots dreamwvr (Mar 10)