[Snort-users] RE: VERY simple 'virtual' honeypot

Thomas Porter, Ph.D. tporter at ...2894...
Thu Mar 7 21:13:05 EST 2002


Doesn't Labrae work on this principal?

Thomas Porter, Ph.D.
ScorpionPoint Security

-----Original Message-----
From: Kurt Seifried [mailto:bugtraq at ...5234...] 
Sent: Thursday, March 07, 2002 11:48 PM
To: Lance Spitzner; Snort-Users (E-mail); honeypots at ...35...
Subject: Re: VERY simple 'virtual' honeypot


> Most honeypots work on the same concept, a system that has no 
> production activity.  You deploy a box that has no production value, 
> any packets going to that box indicate a probe, scan, or attack.  This

> helps reduce both false positives and false negatives.  Exampls of 
> such honeypots include BackOfficer Friendly, DTK, ManTrap, Specter, 
> and Honeynets.
>
> However, I was just thinking, why bother deploying the box? Why not 
> create a list of Snort rules that generate an alert whenever a TCP/SYN

> packet or UDP packet is sent to an IP address that has no system?  
> This could incidate a probe, scan or attack, the same principles of a 
> honeypot, but without deploying an actual system.
>
> Of course this does not give you the Data Capture capabilites of a 
> honeypot, as there is no system for the attacker to interact with.  
> However, this could be used to help detect scanning or probing 
> activity.

Better yet have snort spoof a reply (i.e. pretend that a valid port is
there). Then the attacker comes back later for more giving you more
information and wasting more of their time. Then you get a bit of the
best of both worlds. I'm sure snort, portsentry or something similar
could easily be hacked up to do it. Alternative use port redirects on
Linux/OpenBSD to redirect stuff for unused networks to a "legit" server
that will reply with basic stuff.

> Thoughts?
>
> --
> Lance Spitzner
> http://project.honeynet.org



Kurt Seifried, kurt at ...5234...
A15B BEE5 B391 B9AD B0EF
AEB0 AD63 0B4E AD56 E574
http://seifried.org/security/ http://www.idefense.com/digest.html



---------------------------------------------------------------------
To unsubscribe, e-mail: honeypots-unsubscribe at ...35...
For additional commands, e-mail: honeypots-help at ...35...
---------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert
(SIA) Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities. 
Please, see: https://alerts.securityfocus.com/






More information about the Snort-users mailing list