[Snort-users] Re: VERY simple 'virtual' honeypot

Marcus J. Ranum mjr at ...3152...
Fri Mar 8 06:41:07 EST 2002


Lance Spitzner wrote:
>However, I was just thinking, why bother deploying the box?
>Why not create a list of Snort rules that generate an alert
>whenever a TCP/SYN packet or UDP packet is sent to an IP
>address that has no system?  This could incidate a probe,
>scan or attack, the same principles of a honeypot, but
>without deploying an actual system.

For that matter, couldn't you _almost_ put something like that together
using filtering rules in a router?  Syslog 'em off the router and process 'em
on a backend system.

mjr.





More information about the Snort-users mailing list