[Snort-users] VERY simple 'virtual' honeypot
fknobbe at ...652...
Fri Mar 8 08:44:30 EST 2002
On Thu, 2002-03-07 at 22:34, Lance Spitzner wrote:
> However, I was just thinking, why bother deploying the box?
> Why not create a list of Snort rules that generate an alert
> whenever a TCP/SYN packet or UDP packet is sent to an IP
> address that has no system? This could incidate a probe,
> scan or attack, the same principles of a honeypot, but
> without deploying an actual system.
Not really a long list. Here is what I use:
block tcp any any -> $UNUSED any (msg:"TCP Port Scan";)
block udp any any -> $UNUSED any (msg:"UDP Port Scan";)
block icmp any any -> $UNUSED any (msg:"ICMP Scan";)
$UNUSED includes all unused IP address, defined in snort.conf with
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 350 bytes
Desc: This is a digitally signed message part
More information about the Snort-users