[Snort-users] RE: VERY simple 'virtual' honeypot

Alex Collins ALEX.COLLINS at ...5243...
Fri Mar 8 01:34:02 EST 2002


> > Of course this does not give you the Data Capture capabilites
> > of a honeypot, as there is no system for the attacker to
> > interact with.  However, this could be used to help detect
> > scanning or probing activity.
>
> Better yet have snort spoof a reply (i.e. pretend that a valid port is
> there). Then the attacker comes back later for more giving you more
> information and wasting more of their time. Then you get a bit of the best
> of both worlds. I'm sure snort, portsentry or something similar could
easily
> be hacked up to do it. Alternative use port redirects on Linux/OpenBSD to
> redirect stuff for unused networks to a "legit" server that will reply
with
> basic stuff.

If you could craft a "reply" routine for snort, that could be actioned over
a combination of packets, you could then define a range of actions that
would be useful both from the perspective of a "responsive" IDS (e.g. TCP
resets) and as a honeypot (e.g. acknowledge packets, send back banners)
logging further packets that are received.

If this was easily customisable, you could gain information for a wide range
of systems & services, without needing to have legit honey pots for these.

Alex Collins


****************************************************************************
The information contained in this email is intended only for the 
use of the intended recipient at the email address to which it 
has been addressed. If the reader of this message is not an 
intended recipient, you are hereby notified that you have received 
this document in error and that any review, dissemination or
copying of the message or associated attachments is strictly 
prohibited.

If you have received this email in error, please contact the sender
by return email or call 01793 877777 and ask for the sender and 
then delete it immediately from your system.

Please note that neither Innogy nor the sender accepts any 
responsibility for viruses and it is your responsibility to scan 
attachments (if any).
*****************************************************************************





More information about the Snort-users mailing list