[Snort-users] VERY simple 'virtual' honeypot

Jim Forster jforster at ...176...
Thu Mar 7 21:55:14 EST 2002

I've been in discussion over this topic for quite some time with some
friends / sysadmins, and granted, some arguments.

You put up a box, no reverse, no forward lookups, and let it listen.
ANYTHING coming to it, is obviously bad from SYN 1. - But, having it
react in some way is the question..  There is no reason whatsoever
this system would ever get any traffic, so how do you handle incoming
requests?  Retaliation.net sure sounded good, but it's taken, so that
kinda crushed that dream.  >:P

I've looked at LaBrea, and I like the idea.  They come in
(unwelcomed) and the door locks behind them.  But I agree here,
letting them "think" the system just responded might be a "hidden
accounting box on 'x's network" would yield much more interesting
results than just holding someone / worms at bay. (as well as let me
see what kind of '$up4r-r337" new script is out there)

I've seen people hit a FreeBSD system that obviously misread or
simply didn't understand the results of the scan/probe only to come
back and manually (I'm guessing, because of the typos) try to use
Unicode exploits to get into a "nimda-infected" box.  Not to mention
systems from 2 locations I work for have open FTP only to close it
and watch for them to come back.
I openly admit I'm a "noobie" to honeypots, but I'm really interested
in thoughts on the subject, and the possible correlation with Snort.
The multi-IP bindings seems like a good idea, but I worry about
having "joe sysadmin" install it and take down their router.  :)

Reacting in any way that may harm the attacker is "illegal" for all
but some of those heavy .gov proggies - SideWinder, as far as I know.
- correct?  Or is it even still used?
I guess it all depends on how you classify 'react'.  Passive, or
aggressive.  I guess personally, it depends on each case, and how
many times they have come back (intent).  One kid with a win proggie
looking for open windows shares isn't really going to be a problem.
Someone checking my FTP and SSH servers over a few class C's, then
coming back a week later to try and exploit them all is.

Truth is - The worms are (slowly) getting better, the kiddies are
learning to compile...  Things are going to change..  It's a question
of 'how' and 'when' can we react to it, and to what extent can we do
so?  Or can we make enough bait systems wide probing becomes useless
due to the sheer numbers of responses by hosts that "want" you to
come in.  I'd guess with current laws, bait and watch is our only
safe reaction?


On Thu, 7 Mar 2002 22:34:16 -0600 (CST), Lance Spitzner wrote:
>Most honeypots work on the same concept, a system that has no
>production activity.  You deploy a box that has no production
>value, any packets going to that box indicate a probe, scan, or
>attack.  This helps reduce both false positives and false
>negatives.  Exampls of such honeypots include BackOfficer Friendly,
>DTK, ManTrap, Specter, and Honeynets.
>However, I was just thinking, why bother deploying the box?
>Why not create a list of Snort rules that generate an alert
>whenever a TCP/SYN packet or UDP packet is sent to an IP
>address that has no system?  This could incidate a probe,
>scan or attack, the same principles of a honeypot, but
>without deploying an actual system.
>Of course this does not give you the Data Capture capabilites
>of a honeypot, as there is no system for the attacker to
>interact with.  However, this could be used to help detect
>scanning or probing activity.

Jim Forster, jforster at ...176... on 03/07/2002

More information about the Snort-users mailing list