[Snort-users] Re: VERY simple 'virtual' honeypot

nfudd at ...5247... nfudd at ...5247...
Fri Mar 8 05:05:10 EST 2002

On Thu, 7 Mar 2002, Kurt Seifried wrote:

> > However, I was just thinking, why bother deploying the box?
> > Why not create a list of Snort rules that generate an alert
> > whenever a TCP/SYN packet or UDP packet is sent to an IP
> > address that has no system?  This could incidate a probe,
> > scan or attack, the same principles of a honeypot, but
> > without deploying an actual system.


> Better yet have snort spoof a reply (i.e. pretend that a valid port is
> there). Then the attacker comes back later for more giving you more
> information and wasting more of their time. Then you get a bit of the best
> of both worlds. I'm sure snort, portsentry or something similar could easily
> be hacked up to do it. Alternative use port redirects on Linux/OpenBSD to
> redirect stuff for unused networks to a "legit" server that will reply with
> basic stuff.

See 'Labrea' (http://www.hackbusters.net/)

It does what you want.  It monitors unused ip addresses, and any
requests for those ip addresses generate false arp replies, followed
by false tcp connection establishment, using a miniscule window size.

It was developed to slow to a crawl programs like CodeRed, by slowing
down connection/infection attempts to the lowest value allowed by the
laws of tcp/ip.  CodeRed can't move on to new ip addresses until it's
finished with the first ones, and so a single Labrea can 'tarpit' a
whole lot of CodeRed viruses... or any OTHER port scanner.

Basically, it looks like every single port on every single unused ip
address is open.  If you telnet to one, your telnet will freeze;
if you browse to port 80, your browser times out, etc, etc.

See what you think.

More information about the Snort-users mailing list