[Snort-users] Re: VERY simple 'virtual' honeypot

Kurt Seifried bugtraq at ...5234...
Thu Mar 7 21:20:05 EST 2002


Kind of, it simply sends reponses, but holds the tcp window open for as long
as possible, the theory being that if a sizable percentage of people ran
labrea scans, probes and attacks would take a lot longer. Problem is most
scans can simply have a timeout (--host_timeout in nmap) and attacks won't
really care since most are automated (ala code red/nimda). What would helps
is if you have a network, someone scans it stealthily (let's say 1 packet
per day), when they try to attack they will end up attacking non-existent
services/systems hopefully creating more noise that you can catch.
Ultimately if you can a netblock and every single address responds with
let's say 10 ports open attacking them is going to be very very noisy.

Problem with Labrea is it really only works if lots and lots of people
deploy it. With something like fake scan answers that immediately helps
protect you.

Kurt Seifried, kurt at ...5234...
A15B BEE5 B391 B9AD B0EF
AEB0 AD63 0B4E AD56 E574
http://seifried.org/security/
http://www.idefense.com/digest.html

----- Original Message -----
From: "Thomas Porter, Ph.D." <tporter at ...2894...>
To: "'Kurt Seifried'" <bugtraq at ...5234...>; "'Lance Spitzner'"
<lance at ...2024...>; "'Snort-Users (E-mail)'"
<snort-users at lists.sourceforge.net>; <honeypots at ...35...>
Sent: Thursday, March 07, 2002 10:12 PM
Subject: RE: VERY simple 'virtual' honeypot


> Doesn't Labrae work on this principal?
>
> Thomas Porter, Ph.D.
> ScorpionPoint Security







More information about the Snort-users mailing list