[Snort-users] Re: VERY simple 'virtual' honeypot

John Kinsella jlk at ...5237...
Thu Mar 7 23:20:02 EST 2002


On Thu, Mar 07, 2002 at 10:34:16PM -0600, Lance Spitzner wrote:
(...)
> However, I was just thinking, why bother deploying the box?
> Why not create a list of Snort rules that generate an alert
> whenever a TCP/SYN packet or UDP packet is sent to an IP
> address that has no system?  This could incidate a probe,
> scan or attack, the same principles of a honeypot, but
> without deploying an actual system.

I'm presuming one would have Snort already set up, and just are
skipping the external honeypot part.  That said, what are you gaining
by seeing somebody scan/probe an IP with public services vs one
with no production services?  Only win I see from having the rules
for IPs not tied to a system is being able to see how targeted a
scan/attack is.

Finding out what somebody does when..."presented" with a vulnerability
is where the value comes from in a honey(pot/net), IMHO.

John




More information about the Snort-users mailing list