[Snort-users] Re: VERY simple 'virtual' honeypot

David Watson david.watson at ...5244...
Fri Mar 8 04:08:05 EST 2002

Lance / Kurt,

I had been thinking about exactly the same idea myself recently, simply for 
scan trend analysis on multiple networks / sites without having to deploy a 
full honeynet. How about something as simple as a Trinux boot disk with 
LaBrea tar pit running on an empty Internet connected segment? This would 
respond to incoming connection requests to any IP address on the local LAN 
and attempt to either hang on to the connections or reset them politely. 
The usual snort config would provide useful alerting and logging 
information, whilst with connection trapping enabled some attackers might 
be fooled into believing there were actual physical systems and coming back 
for more detailed scans?



At 21:47 07/03/2002 -0700, Kurt Seifried wrote:
> > Most honeypots work on the same concept, a system that has no
> > production activity.  You deploy a box that has no production
> > value, any packets going to that box indicate a probe, scan, or
> > attack.  This helps reduce both false positives and false
> > negatives.  Exampls of such honeypots include BackOfficer Friendly,
> > DTK, ManTrap, Specter, and Honeynets.
> >
> > However, I was just thinking, why bother deploying the box?
> > Why not create a list of Snort rules that generate an alert
> > whenever a TCP/SYN packet or UDP packet is sent to an IP
> > address that has no system?  This could incidate a probe,
> > scan or attack, the same principles of a honeypot, but
> > without deploying an actual system.
> >
> > Of course this does not give you the Data Capture capabilites
> > of a honeypot, as there is no system for the attacker to
> > interact with.  However, this could be used to help detect
> > scanning or probing activity.
>Better yet have snort spoof a reply (i.e. pretend that a valid port is
>there). Then the attacker comes back later for more giving you more
>information and wasting more of their time. Then you get a bit of the best
>of both worlds. I'm sure snort, portsentry or something similar could easily
>be hacked up to do it. Alternative use port redirects on Linux/OpenBSD to
>redirect stuff for unused networks to a "legit" server that will reply with
>basic stuff.
> > Thoughts?
> >
> > --
> > Lance Spitzner
> > http://project.honeynet.org
>Kurt Seifried, kurt at ...5234...
>A15B BEE5 B391 B9AD B0EF
>AEB0 AD63 0B4E AD56 E574
>To unsubscribe, e-mail: honeypots-unsubscribe at ...35...
>For additional commands, e-mail: honeypots-help at ...35...
>This list is provided by the SecurityFocus Security Intelligence Alert
>(SIA) Service. For more information on SecurityFocus' SIA service
>which automatically alerts you to the latest security vulnerabilities.
>Please, see: https://alerts.securityfocus.com/

David Watson                    Voice:  +44 1904 438000
Technical Manager               Fax:    +44 1904 435450
ioko365                 Email:  david.watson at ...5244...

More information about the Snort-users mailing list