[Snort-users] Re: VERY simple 'virtual' honeypot

Rob Thomas robt at ...5261...
Fri Mar 8 08:01:23 EST 2002

Hi, Marcus.

] For that matter, couldn't you _almost_ put something like that together
] using filtering rules in a router?  Syslog 'em off the router and process 'em
] on a backend system.

Be a bit cautious here.  During a surfeit of these naughty packets, the
logging activity on the router may lead to a home-brew DoS.  :/  If one
attempts to punt the syslog messages, or uses keywords such as "log" or
"log-input", the CPU can become overwhelmed quite quickly.  How this
affects the stability of the router is largely dependent on the router
model.  However, there is another, somewhat less dangerous, way.  :)

If you are running NetFlow on the router, you could export the flows to
a remote host.  This isn't quite as painful as punting off syslog
messages (again, depends on your gear) based on logging ACLs.  With
NetFlow you will have all of the flow information:  source/dest IP,
source/dest port, protocol, and number of packets.  This is how I track
a lot of naughty packets, without letting them ever penetrate my border.
It is sufficient to determine the scan du jour and it can be run in both
directions.  By watching your outbound flows you can quickly determine
which hosts have been compromised by the latest sploit, e.g. "why is my
server farm sending out copious UDP 137 packets?"

You do not have to export the flows.  I run NetFlow on several routers
where exporting the flows just isn't reasonable (for myriad reasons).
If, however, I receive a call that there is a rumpus, I can log into the
router and run a sh ip cac flo to quickly determine the whats, wheres,
and whys.  It can be very handy during DoS attacks.  See below:


Rob Thomas
ASSERT(coffee != empty);

More information about the Snort-users mailing list