[Snort-users] Re: VERY simple 'virtual' honeypot
bmc at ...312...
Thu Mar 7 20:55:08 EST 2002
On Thu, Mar 07, 2002 at 10:34:16PM -0600, Lance Spitzner wrote:
> However, I was just thinking, why bother deploying the box?
> Why not create a list of Snort rules that generate an alert
> whenever a TCP/SYN packet or UDP packet is sent to an IP
> address that has no system? This could incidate a probe,
> scan or attack, the same principles of a honeypot, but
> without deploying an actual system.
Heck, for those of us with nazi firewalls, those will do just
fine. If you use PF , you can log all incoming blocked
packets and then view them with Snort (with a small patch) or
Thats cheaper than wasting an IP, and most people that would
run a honeypot already watch their firewall logs.
 there is probably something like that in linux, but the
only thing I use linux for is building RPMs of snort :)
More information about the Snort-users