[Snort-users] VERY simple 'virtual' honeypot

Glenn Forbes Fleming Larratt glratt at ...152...
Thu Mar 7 21:41:03 EST 2002


I used LaBrea in this way - created a bogus /24 off my production 
network, poked a global allow for that /24 at my border, fired
up LaBrea and Snort on an unaddressed laptop on the /24, and
listened.

Some points of order regarding this quasi-honeypot:

- no dns, no outbound traffic, no nothing to indicate to an external
        party that the subnet even existed - thus, any traffic coming to
        that network was either misdirected or hostile;
	
- historically, the subnet had been unused and unallocated out of our
	/16 core (.edu network) for over two years;

- the subnet came into existence on Thu Dec 20 2001 sometime after 4:15 p.m.;
                                    ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
- in the first full day of listening (December 21st) - one 24-hour period:
                                                       ^^^^^^^^^^^^^^^^^^
================================================================
- 1,702 different external hosts attempted at least one initial TCP connection;

- 1,026 attempted more than one;

- 335 attempted 20 or more;

- 71 attempted 255 or more, thereby scanning the entire subnet multiple times -
        of the top 60 or so:

        - 12 unique IP's came from U.S. educational institutions
        (UCLA 128.97.0.0/16, UVA 128.143.0.0/16, UGA 128.192.0.0/16,
        SunyBuffalo 128.205.0.0/16, UWA 128.208.0.0/16,
        UHI 128.171.0.0/16, SunyBinghamtom 128.226.0.0/16,
        Syracuse 128.230.0.0/16, WashUStLouis 128.252.0.0/16,
        UOKNorman 129.15.0.0/16, UMI 131.213.0.0/16);

        - 12 unique IP's came from US providers (HSACorp 24.240.23.0/24,
        AOL 172.128.0.0/10, rr.com 24.24.0.0/13sortof, genuity.net 4.0.0.0/8,
        naxs.com 216.98.64.0/19, arnet 209.40.128.0/18, UUNET 208.254.72.0/23,
        Comastpc.com 68.40.0.0/13, @home 65.9.112.0/20,
        SBCIS/PacBell 63.192.0.0/12);

        - 5 came from a random US ".com" (tag.com 216.177.32.0/19,
        mrws.net 63.166.61.0/24, "Oilgear" (AT&T) 209.36.148.0/24,
        BritSys.com 192.216.171.0/24, RuralNet 216.169.69.32/27);

        - 3 came from Canada (BellNexxia 65.93.160.0/19,
        ShawFiberlink 24.80.0.0/13, hyperlinx.net 207.107.55.0/24);

        - 3 came from Mexico (UnivAutonomaZacatecas 148.217.0.0/16,
        MERKANET 200.23.95.0/24, Avantel 148.240.0.0/16);

        - 2 came from South America (cable.net.co-Colombia 200.68.160.0/21,
        ImpSat-Venezuela 200.31.4.0/24);

        - 5 came from Germany (denoc.net 62.116.128.0/20,
        JWGoethe-UnivFrankfurt 141.2.0.0/16, t-online.com 80.128.0.0/12sortof,
        t-online.com 217.80.0.0/12sortof);

        - 4 came from France (internet-fr.net 212.37.210.0/22,
        wanadoo 217.128.39.0/24, wanadoo 193.252.192.0/24,
        wanadoo 80.13.214.0/24);

        - 2 came from Norway (nextgentel.com 213.145.160.0/19,
        NTANET 128.39.0.0/16);

        - 2 came from the Netherlands (tiscali.nl 195.241.0.0/16,
        UnivUtrecht 131.211.0.0/16);

        - 6 came from other European countries
        (InstitutoDaAgua-Portugal 193.136.235.0/24,
        Lidkopings-Sweden 195.84.233.128/26, MedUnivLodz-Poland 212.5.198.0/23,
        telefonica.es-Spain 213.96.0.0/15, tin.it-Italy 62.211.128.0/17,
        hispeed.ch-Switzerland 217.162.0.0/16sortof);

        - 1 came from Australia (bigpond.net.au 203.40.0.0/13);

        - 1 came from India (vsnl.net 203.199.84.128/26);

        - 9 came from Korea (rapitel.co.kr 211.189.198.0/25,
        KoreaTelecom 128.134.0.0/16, nuri.net 210.1221.56.192/26,
        kornet.net 61.73.128.0/20sortof, kornet 61.73.152.0/21sortof);

        - 2 came from China (Chinanet 202.104.0.0/16,
        LianyungangFoodMfry 61.155.96.0/19sortof);

        - 1 came from Taiwan (TANET 140.109.0.0/16);

        - 1 came from Japan (u-tokyo.ac.jp 133.11.0.0/16);

- activity peaks occurred 6-7am (97 hits), 11-12am (148), 5-6pm (158),
        6-7pm (202), and 7-8pm (295); [all times CST]

- most of these were reconnaissance (see below).
================
- of the initial connection attempts, 845 were to HTTP port 80 (presumably
        Code Red, Nimda, or more serious Web attackers), 243 were to FTP port
        21 (widely vulnerable), 242 were to SOCKS/Wingate port 1080 (widely
        exploitable), 232 were to ssh port 22 (recent exploits), and 14
        were to portmapper port 111 (an oldie but a goodie - widely
        exploitable, but most people block it nowadays)
================
- 56 hosts completed a TCP connection, 53 more than one, 43 hosts completed
        20 or more, and 9 hosts completed 255 or more; this number was
        presumably attempting exploits in realtime.
================
- 4 internal security issues were detected:
        3 incidences of Code Red or Nimda
        1 incidence of a compromised internal machine portscanning ssh
================

	-g

On Thu, 7 Mar 2002, Lance Spitzner wrote:

> Most honeypots work on the same concept, a system that has no
> production activity.  You deploy a box that has no production
> value, any packets going to that box indicate a probe, scan, or
> attack.  This helps reduce both false positives and false
> negatives.  Exampls of such honeypots include BackOfficer Friendly,
> DTK, ManTrap, Specter, and Honeynets.
> 
> However, I was just thinking, why bother deploying the box?
> Why not create a list of Snort rules that generate an alert
> whenever a TCP/SYN packet or UDP packet is sent to an IP
> address that has no system?  This could incidate a probe,
> scan or attack, the same principles of a honeypot, but
> without deploying an actual system.
> 
> Of course this does not give you the Data Capture capabilites
> of a honeypot, as there is no system for the attacker to
> interact with.  However, this could be used to help detect
> scanning or probing activity.
> 
> Thoughts?
> 
> 

-- 
Glenn Forbes Fleming Larratt         The Lab Ratt (not briggs :-) 
glratt at ...152...                        http://www.io.com/~glratt  
There are imaginary bugs to chase in heaven.





More information about the Snort-users mailing list