[Snort-users] Re: VERY simple 'virtual' honeypot

Ian O'Brien iob at ...5235...
Thu Mar 7 21:45:08 EST 2002

Lance Spitzner wrote:


> However, I was just thinking, why bother deploying the box?
> Why not create a list of Snort rules that generate an alert
> whenever a TCP/SYN packet or UDP packet is sent to an IP
> address that has no system?  This could incidate a probe,
> scan or attack, the same principles of a honeypot, but
> without deploying an actual system.
> Of course this does not give you the Data Capture capabilites
> of a honeypot, as there is no system for the attacker to
> interact with.  However, this could be used to help detect
> scanning or probing activity.

if your snort (or other sensor) is part of the network infrastructure (a bridge, 
a switch or a router) then you will have the packet. if not, then you should 
really only see an ARP request from the router.

Of course, you can proxy ARP for the addresses on or near your sensor box. then 
you should see the packets, and you even have the possibility to interact with 
the attack. I think that functionality is very much what LaBrea does.


Ian O'Brien      What kind of head of security would I be if I let people
408-696-2182=Pgr       like me know things that I'm not supposed to know?
iob at ...5235...                                  --- Michael Garibaldi, B5

More information about the Snort-users mailing list