[Snort-users] Re: VERY simple 'virtual' honeypot

Chris Grout cgrout at ...3649...
Thu Mar 7 22:40:02 EST 2002


Well, all these things do not accomplish one of the main reasons many
people run honeypots.  To study exactly what happens *after* the scans
are done, the exploits sent, and/or the service crashed.

A good number of exploits cause something to happen that requires the
interaction of a normal OS with normal system tools (i.e.  bind a root
shell, rcp/tftp in a rootkit, build a trojan'd sshd, nc back home...).
All of which you might be able to determine that they were attempting
with some of these methods mentioned earlier, but then what?  What was
that "rootkit" going to do to my box?  Was it custom written for me?
How did that attack look to the OS or was anything even logged at the
host level?

If your purpose is to log unsolicited traffic, use the method Brian
mentions.  Pick an unused IP, and log 100% of traffic to it.  Anyone
hitting it instantly becomes suspicious.

If your purpose is to "catch and record" that unsolicited traffic after
the 3 way handshake was successful, then I believe a number of instances
of netcat bound to those interesting ports, piping to files, should work
just fine.

Now if you want to allow the exploits and attacks to complete, study any
really activity after the 'sploit does it business, or anything more in
depth like this, then you're going to need to run a real OS.  Especially
to catch anything new.  Sure many products simulate vulnerable system
responses, but in my opinion, those results are tainted.

Good schtuff...

Chris

-----Original Message-----
From: snort-users-admin at lists.sourceforge.net
[mailto:snort-users-admin at lists.sourceforge.net]On Behalf Of Brian
Caswell
Sent: Thursday, March 07, 2002 8:55 PM
To: Lance Spitzner
Cc: Snort-Users (E-mail); honeypots at ...35...
Subject: [Snort-users] Re: VERY simple 'virtual' honeypot


On Thu, Mar 07, 2002 at 10:34:16PM -0600, Lance Spitzner wrote:
> However, I was just thinking, why bother deploying the box?
> Why not create a list of Snort rules that generate an alert
> whenever a TCP/SYN packet or UDP packet is sent to an IP
> address that has no system?  This could incidate a probe,
> scan or attack, the same principles of a honeypot, but
> without deploying an actual system.

Heck, for those of us with nazi firewalls, those will do just
fine.  If you use PF [0], you can log all incoming blocked
packets and then view them with Snort (with a small patch) or
tcpdump.

Thats cheaper than wasting an IP, and most people that would
run a honeypot already watch their firewall logs.

[0] there is probably something like that in linux, but the
    only thing I use linux for is building RPMs of snort :)

-brian







More information about the Snort-users mailing list