[Snort-users] Rif: VERY simple 'virtual' honeypot

Alberto Beretta punkbere at ...1877...
Fri Mar 8 08:05:12 EST 2002

The tool LaBrea can detect scan against virtual IP address.
I'm working in a project in which Labrea and Honeypot work together. LaBrea reply to packet generated for network scanning. The Idea is to modify LaBrea to allow a real connection to virtual addresses: this traffic is forwarded to a honeypot. So you can detect the scan and gain information about hacker's metodologies.
> Da: Lance Spitzner <lance at ...2024...>
> Data: 08/03/2002 05:34
> A: "Snort-Users \(E-mail\)" <snort-users at lists.sourceforge.net>,
>   <honeypots at ...35...>
> Oggetto: VERY simple 'virtual' honeypot
> Most honeypots work on the same concept, a system that has no
> production activity.  You deploy a box that has no production
> value, any packets going to that box indicate a probe, scan, or
> attack.  This helps reduce both false positives and false
> negatives.  Exampls of such honeypots include BackOfficer Friendly,
> DTK, ManTrap, Specter, and Honeynets.
> However, I was just thinking, why bother deploying the box?
> Why not create a list of Snort rules that generate an alert
> whenever a TCP/SYN packet or UDP packet is sent to an IP
> address that has no system?  This could incidate a probe,
> scan or attack, the same principles of a honeypot, but
> without deploying an actual system.
> Of course this does not give you the Data Capture capabilites
> of a honeypot, as there is no system for the attacker to
> interact with.  However, this could be used to help detect
> scanning or probing activity.
> Thoughts?
> -- 
> Lance Spitzner
> http://project.honeynet.org
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: honeypots-unsubscribe at ...35...
> For additional commands, e-mail: honeypots-help at ...35...
> ---------------------------------------------------------------------
> This list is provided by the SecurityFocus Security Intelligence Alert
> (SIA) Service. For more information on SecurityFocus' SIA service
> which automatically alerts you to the latest security vulnerabilities. 
> Please, see: https://alerts.securityfocus.com/

More information about the Snort-users mailing list