[Snort-users] logging/alerting for analysis

Daniel Harrison danielh at ...690...
Wed Jan 3 12:48:29 EST 2001


By design any traffic going to the honeynet (headed by Lance) is suspect
because there is no legitimate reason for it. Those machines sole purpose is
to site there with a big target on its head. So really you would need a
firewall, a designated target and a machine that can sniff (or snort) all
traffic behind that firewall. If you do this on a "production" network you run
the risk of having a kiddie take down non-honeynet machines not to mention the
time it would take to sort through a bunch of false positives created by legit
traffic.

-dan

Wes Bateman wrote:

> Hello, sorry this might be a dumb question from a first-time poster,
> but... :)
>
> I've been seeing analysis websites like projects.honeypot.org that have
> all these great captures to analyze.  I'm finding that in my own setup I
> alert on packets that match signatures, and I have the packetdumps for
> those.  These other sites have full, pretty 3 way handshakes and the
> like.  Anybody have recommendations, comments, whatever on how to manage
> monitoring many hosts, capturing as close to possible as streams related
> to signatures, yet not having to store every packet that crosses the wire?
>
> I'm thinking this is a pipe dream.  Right?  I guess these sites are
> capturing ALL traffic to/from honeypot-type hosts.  It's really cool to be
> able to fully analyze both sides of the connections like that.  That's
> lacking in the way I'm doing it now, only alerting on packets that match
> my ruleset (primary vision).
>
> Thanks for any ideas/input/flames/whatever :)
>
> Wes
>
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> http://lists.sourceforge.net/mailman/listinfo/snort-users







More information about the Snort-users mailing list