[Snort-users] RE: VERY simple 'virtual' honeypot

Sawyer, John H. JSawyer at ...5249...
Fri Mar 8 06:17:05 EST 2002

What about incorporating LaBrea?  http://www.hackbusters.net/LaBrea/

LaBrea is a program that creates a tarpit or, as some have called it, a
"sticky honeypot". LaBrea takes over unused IP addresses on a network and
creates "virtual machines" that answer to connection attempts. LaBrea
answers those connection attempts in a way that causes the machine at the
other end to get "stuck", sometimes for a very long time.

It currently creates a "tarpit" to trap scans to IP's that aren't currently
being used.  Maybe someone could come up with it a way make Snort and LaBrea
work together.  Snort could handle all packet captures while LaBrea provides
IP's for the attacker to get tangled.


John H. Sawyer
University of Florida
jsawyer at ...5250...

<> > Most honeypots work on the same concept, a system that has no
<> > production activity.  You deploy a box that has no production
<> > value, any packets going to that box indicate a probe, scan, or
<> > attack.  This helps reduce both false positives and false
<> > negatives.  Exampls of such honeypots include BackOfficer Friendly,
<> > DTK, ManTrap, Specter, and Honeynets.
<> >
<> > However, I was just thinking, why bother deploying the box?
<> > Why not create a list of Snort rules that generate an alert
<> > whenever a TCP/SYN packet or UDP packet is sent to an IP
<> > address that has no system?  This could incidate a probe,
<> > scan or attack, the same principles of a honeypot, but
<> > without deploying an actual system.
<> >
<> Better yet have snort spoof a reply (i.e. pretend that a 
<> valid port is
<> there). Then the attacker comes back later for more giving you more
<> information and wasting more of their time. Then you get a 
<> bit of the best
<> of both worlds. I'm sure snort, portsentry or something 
<> similar could easily
<> be hacked up to do it. Alternative use port redirects on 
<> Linux/OpenBSD to
<> redirect stuff for unused networks to a "legit" server that 
<> will reply with
<> basic stuff.
<> > Thoughts?
<> >
<> > --
<> > Lance Spitzner
<> > http://project.honeynet.org
<> Kurt Seifried, kurt at ...5234...
<> A15B BEE5 B391 B9AD B0EF
<> AEB0 AD63 0B4E AD56 E574
<> http://seifried.org/security/
<> http://www.idefense.com/digest.html


More information about the Snort-users mailing list