[Snort-users] Re: VERY simple 'virtual' honeypot
Marcus J. Ranum
mjr at ...3152...
Fri Mar 8 06:41:07 EST 2002
Lance Spitzner wrote:
>However, I was just thinking, why bother deploying the box?
>Why not create a list of Snort rules that generate an alert
>whenever a TCP/SYN packet or UDP packet is sent to an IP
>address that has no system? This could incidate a probe,
>scan or attack, the same principles of a honeypot, but
>without deploying an actual system.
For that matter, couldn't you _almost_ put something like that together
using filtering rules in a router? Syslog 'em off the router and process 'em
on a backend system.
More information about the Snort-users