[Snort-users] RE: VERY simple 'virtual' honeypot

Rick Francis rfrancis at ...468...
Fri Mar 8 06:14:03 EST 2002


eventually, through honey-code, me-thinks, a
counter-attack system will be developed that
can automate a range of responses to specific
patterns. eventually this could be the
responsibility of the honeypotbot.

rf

-----Original Message-----
From: Lance Spitzner [mailto:lance at ...2024...]
Sent: 07 March, 2002 10:34 PM
To: Snort-Users (E-mail); honeypots at ...35...
Subject: VERY simple 'virtual' honeypot


Most honeypots work on the same concept, a system that has no
production activity.  You deploy a box that has no production
value, any packets going to that box indicate a probe, scan, or
attack.  This helps reduce both false positives and false
negatives.  Exampls of such honeypots include BackOfficer Friendly,
DTK, ManTrap, Specter, and Honeynets.

However, I was just thinking, why bother deploying the box?
Why not create a list of Snort rules that generate an alert
whenever a TCP/SYN packet or UDP packet is sent to an IP
address that has no system?  This could incidate a probe,
scan or attack, the same principles of a honeypot, but
without deploying an actual system.

Of course this does not give you the Data Capture capabilites
of a honeypot, as there is no system for the attacker to
interact with.  However, this could be used to help detect
scanning or probing activity.

Thoughts?

--
Lance Spitzner
http://project.honeynet.org


---------------------------------------------------------------------
To unsubscribe, e-mail: honeypots-unsubscribe at ...35...
For additional commands, e-mail: honeypots-help at ...35...
---------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert
(SIA) Service. For more information on SecurityFocus' SIA service
which automatically alerts you to the latest security vulnerabilities.
Please, see: https://alerts.securityfocus.com/






More information about the Snort-users mailing list