[Snort-users] VERY simple 'virtual' honeypot

Glenn Forbes Fleming Larratt glratt at ...152...
Thu Mar 7 21:41:03 EST 2002

I used LaBrea in this way - created a bogus /24 off my production 
network, poked a global allow for that /24 at my border, fired
up LaBrea and Snort on an unaddressed laptop on the /24, and

Some points of order regarding this quasi-honeypot:

- no dns, no outbound traffic, no nothing to indicate to an external
        party that the subnet even existed - thus, any traffic coming to
        that network was either misdirected or hostile;
- historically, the subnet had been unused and unallocated out of our
	/16 core (.edu network) for over two years;

- the subnet came into existence on Thu Dec 20 2001 sometime after 4:15 p.m.;
- in the first full day of listening (December 21st) - one 24-hour period:
- 1,702 different external hosts attempted at least one initial TCP connection;

- 1,026 attempted more than one;

- 335 attempted 20 or more;

- 71 attempted 255 or more, thereby scanning the entire subnet multiple times -
        of the top 60 or so:

        - 12 unique IP's came from U.S. educational institutions
        (UCLA, UVA, UGA,
        SunyBuffalo, UWA,
        UHI, SunyBinghamtom,
        Syracuse, WashUStLouis,
        UOKNorman, UMI;

        - 12 unique IP's came from US providers (HSACorp,
        AOL, rr.com, genuity.net,
        naxs.com, arnet, UUNET,
        Comastpc.com, @home,

        - 5 came from a random US ".com" (tag.com,
        mrws.net, "Oilgear" (AT&T),
        BritSys.com, RuralNet;

        - 3 came from Canada (BellNexxia,
        ShawFiberlink, hyperlinx.net;

        - 3 came from Mexico (UnivAutonomaZacatecas,
        MERKANET, Avantel;

        - 2 came from South America (cable.net.co-Colombia,

        - 5 came from Germany (denoc.net,
        JWGoethe-UnivFrankfurt, t-online.com,

        - 4 came from France (internet-fr.net,
        wanadoo, wanadoo,

        - 2 came from Norway (nextgentel.com,

        - 2 came from the Netherlands (tiscali.nl,

        - 6 came from other European countries
        Lidkopings-Sweden, MedUnivLodz-Poland,
        telefonica.es-Spain, tin.it-Italy,

        - 1 came from Australia (bigpond.net.au;

        - 1 came from India (vsnl.net;

        - 9 came from Korea (rapitel.co.kr,
        KoreaTelecom, nuri.net 210.1221.56.192/26,
        kornet.net, kornet;

        - 2 came from China (Chinanet,

        - 1 came from Taiwan (TANET;

        - 1 came from Japan (u-tokyo.ac.jp;

- activity peaks occurred 6-7am (97 hits), 11-12am (148), 5-6pm (158),
        6-7pm (202), and 7-8pm (295); [all times CST]

- most of these were reconnaissance (see below).
- of the initial connection attempts, 845 were to HTTP port 80 (presumably
        Code Red, Nimda, or more serious Web attackers), 243 were to FTP port
        21 (widely vulnerable), 242 were to SOCKS/Wingate port 1080 (widely
        exploitable), 232 were to ssh port 22 (recent exploits), and 14
        were to portmapper port 111 (an oldie but a goodie - widely
        exploitable, but most people block it nowadays)
- 56 hosts completed a TCP connection, 53 more than one, 43 hosts completed
        20 or more, and 9 hosts completed 255 or more; this number was
        presumably attempting exploits in realtime.
- 4 internal security issues were detected:
        3 incidences of Code Red or Nimda
        1 incidence of a compromised internal machine portscanning ssh


On Thu, 7 Mar 2002, Lance Spitzner wrote:

> Most honeypots work on the same concept, a system that has no
> production activity.  You deploy a box that has no production
> value, any packets going to that box indicate a probe, scan, or
> attack.  This helps reduce both false positives and false
> negatives.  Exampls of such honeypots include BackOfficer Friendly,
> DTK, ManTrap, Specter, and Honeynets.
> However, I was just thinking, why bother deploying the box?
> Why not create a list of Snort rules that generate an alert
> whenever a TCP/SYN packet or UDP packet is sent to an IP
> address that has no system?  This could incidate a probe,
> scan or attack, the same principles of a honeypot, but
> without deploying an actual system.
> Of course this does not give you the Data Capture capabilites
> of a honeypot, as there is no system for the attacker to
> interact with.  However, this could be used to help detect
> scanning or probing activity.
> Thoughts?

Glenn Forbes Fleming Larratt         The Lab Ratt (not briggs :-) 
glratt at ...152...                        http://www.io.com/~glratt  
There are imaginary bugs to chase in heaven.

More information about the Snort-users mailing list