[Snort-users] RE: VERY simple 'virtual' honeypot

Sawyer, John H. JSawyer at ...5249...
Fri Mar 8 06:17:05 EST 2002


What about incorporating LaBrea?  http://www.hackbusters.net/LaBrea/

<SNIP>
LaBrea is a program that creates a tarpit or, as some have called it, a
"sticky honeypot". LaBrea takes over unused IP addresses on a network and
creates "virtual machines" that answer to connection attempts. LaBrea
answers those connection attempts in a way that causes the machine at the
other end to get "stuck", sometimes for a very long time.
</SNIP>

It currently creates a "tarpit" to trap scans to IP's that aren't currently
being used.  Maybe someone could come up with it a way make Snort and LaBrea
work together.  Snort could handle all packet captures while LaBrea provides
IP's for the attacker to get tangled.


-jhs

------------------------------------------------
John H. Sawyer
University of Florida
jsawyer at ...5250...

<> > Most honeypots work on the same concept, a system that has no
<> > production activity.  You deploy a box that has no production
<> > value, any packets going to that box indicate a probe, scan, or
<> > attack.  This helps reduce both false positives and false
<> > negatives.  Exampls of such honeypots include BackOfficer Friendly,
<> > DTK, ManTrap, Specter, and Honeynets.
<> >
<> > However, I was just thinking, why bother deploying the box?
<> > Why not create a list of Snort rules that generate an alert
<> > whenever a TCP/SYN packet or UDP packet is sent to an IP
<> > address that has no system?  This could incidate a probe,
<> > scan or attack, the same principles of a honeypot, but
<> > without deploying an actual system.
<> >
<> 
<> Better yet have snort spoof a reply (i.e. pretend that a 
<> valid port is
<> there). Then the attacker comes back later for more giving you more
<> information and wasting more of their time. Then you get a 
<> bit of the best
<> of both worlds. I'm sure snort, portsentry or something 
<> similar could easily
<> be hacked up to do it. Alternative use port redirects on 
<> Linux/OpenBSD to
<> redirect stuff for unused networks to a "legit" server that 
<> will reply with
<> basic stuff.
<> 
<> > Thoughts?
<> >
<> > --
<> > Lance Spitzner
<> > http://project.honeynet.org
<> 
<> 
<> 
<> Kurt Seifried, kurt at ...5234...
<> A15B BEE5 B391 B9AD B0EF
<> AEB0 AD63 0B4E AD56 E574
<> http://seifried.org/security/
<> http://www.idefense.com/digest.html
<> 

<> 




More information about the Snort-users mailing list