[Snort-users] Re: VERY simple 'virtual' honeypot
iob at ...5235...
Thu Mar 7 21:45:08 EST 2002
Lance Spitzner wrote:
> However, I was just thinking, why bother deploying the box?
> Why not create a list of Snort rules that generate an alert
> whenever a TCP/SYN packet or UDP packet is sent to an IP
> address that has no system? This could incidate a probe,
> scan or attack, the same principles of a honeypot, but
> without deploying an actual system.
> Of course this does not give you the Data Capture capabilites
> of a honeypot, as there is no system for the attacker to
> interact with. However, this could be used to help detect
> scanning or probing activity.
if your snort (or other sensor) is part of the network infrastructure (a bridge,
a switch or a router) then you will have the packet. if not, then you should
really only see an ARP request from the router.
Of course, you can proxy ARP for the addresses on or near your sensor box. then
you should see the packets, and you even have the possibility to interact with
the attack. I think that functionality is very much what LaBrea does.
Ian O'Brien What kind of head of security would I be if I let people
408-696-2182=Pgr like me know things that I'm not supposed to know?
iob at ...5235... --- Michael Garibaldi, B5
More information about the Snort-users