[Snort-users] RE: VERY simple 'virtual' honeypot

Thomas Porter, Ph.D. tporter at ...2894...
Thu Mar 7 21:13:05 EST 2002

Doesn't Labrae work on this principal?

Thomas Porter, Ph.D.
ScorpionPoint Security

-----Original Message-----
From: Kurt Seifried [mailto:bugtraq at ...5234...] 
Sent: Thursday, March 07, 2002 11:48 PM
To: Lance Spitzner; Snort-Users (E-mail); honeypots at ...35...
Subject: Re: VERY simple 'virtual' honeypot

> Most honeypots work on the same concept, a system that has no 
> production activity.  You deploy a box that has no production value, 
> any packets going to that box indicate a probe, scan, or attack.  This

> helps reduce both false positives and false negatives.  Exampls of 
> such honeypots include BackOfficer Friendly, DTK, ManTrap, Specter, 
> and Honeynets.
> However, I was just thinking, why bother deploying the box? Why not 
> create a list of Snort rules that generate an alert whenever a TCP/SYN

> packet or UDP packet is sent to an IP address that has no system?  
> This could incidate a probe, scan or attack, the same principles of a 
> honeypot, but without deploying an actual system.
> Of course this does not give you the Data Capture capabilites of a 
> honeypot, as there is no system for the attacker to interact with.  
> However, this could be used to help detect scanning or probing 
> activity.

Better yet have snort spoof a reply (i.e. pretend that a valid port is
there). Then the attacker comes back later for more giving you more
information and wasting more of their time. Then you get a bit of the
best of both worlds. I'm sure snort, portsentry or something similar
could easily be hacked up to do it. Alternative use port redirects on
Linux/OpenBSD to redirect stuff for unused networks to a "legit" server
that will reply with basic stuff.

> Thoughts?
> --
> Lance Spitzner
> http://project.honeynet.org

Kurt Seifried, kurt at ...5234...
A15B BEE5 B391 B9AD B0EF
AEB0 AD63 0B4E AD56 E574
http://seifried.org/security/ http://www.idefense.com/digest.html

To unsubscribe, e-mail: honeypots-unsubscribe at ...35...
For additional commands, e-mail: honeypots-help at ...35...
This list is provided by the SecurityFocus Security Intelligence Alert
(SIA) Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities. 
Please, see: https://alerts.securityfocus.com/

More information about the Snort-users mailing list