[Snort-users] RE: VERY simple 'virtual' honeypot

Rick Francis rfrancis at ...468...
Fri Mar 8 06:14:03 EST 2002

eventually, through honey-code, me-thinks, a
counter-attack system will be developed that
can automate a range of responses to specific
patterns. eventually this could be the
responsibility of the honeypotbot.


-----Original Message-----
From: Lance Spitzner [mailto:lance at ...2024...]
Sent: 07 March, 2002 10:34 PM
To: Snort-Users (E-mail); honeypots at ...35...
Subject: VERY simple 'virtual' honeypot

Most honeypots work on the same concept, a system that has no
production activity.  You deploy a box that has no production
value, any packets going to that box indicate a probe, scan, or
attack.  This helps reduce both false positives and false
negatives.  Exampls of such honeypots include BackOfficer Friendly,
DTK, ManTrap, Specter, and Honeynets.

However, I was just thinking, why bother deploying the box?
Why not create a list of Snort rules that generate an alert
whenever a TCP/SYN packet or UDP packet is sent to an IP
address that has no system?  This could incidate a probe,
scan or attack, the same principles of a honeypot, but
without deploying an actual system.

Of course this does not give you the Data Capture capabilites
of a honeypot, as there is no system for the attacker to
interact with.  However, this could be used to help detect
scanning or probing activity.


Lance Spitzner

To unsubscribe, e-mail: honeypots-unsubscribe at ...35...
For additional commands, e-mail: honeypots-help at ...35...
This list is provided by the SecurityFocus Security Intelligence Alert
(SIA) Service. For more information on SecurityFocus' SIA service
which automatically alerts you to the latest security vulnerabilities.
Please, see: https://alerts.securityfocus.com/

More information about the Snort-users mailing list