[Snort-users] Re: VERY simple 'virtual' honeypot

Brian Caswell bmc at ...312...
Thu Mar 7 20:55:08 EST 2002


On Thu, Mar 07, 2002 at 10:34:16PM -0600, Lance Spitzner wrote:
> However, I was just thinking, why bother deploying the box?
> Why not create a list of Snort rules that generate an alert
> whenever a TCP/SYN packet or UDP packet is sent to an IP
> address that has no system?  This could incidate a probe,
> scan or attack, the same principles of a honeypot, but
> without deploying an actual system.

Heck, for those of us with nazi firewalls, those will do just 
fine.  If you use PF [0], you can log all incoming blocked 
packets and then view them with Snort (with a small patch) or 
tcpdump.

Thats cheaper than wasting an IP, and most people that would
run a honeypot already watch their firewall logs.

[0] there is probably something like that in linux, but the 
    only thing I use linux for is building RPMs of snort :)

-brian 




More information about the Snort-users mailing list