[Snort-users] VERY simple 'virtual' honeypot

Frank Knobbe fknobbe at ...652...
Fri Mar 8 08:44:30 EST 2002


On Thu, 2002-03-07 at 22:34, Lance Spitzner wrote: 
> However, I was just thinking, why bother deploying the box?
> Why not create a list of Snort rules that generate an alert
> whenever a TCP/SYN packet or UDP packet is sent to an IP
> address that has no system?  This could incidate a probe,
> scan or attack, the same principles of a honeypot, but
> without deploying an actual system.

Not really a long list. Here is what I use: 

block tcp any any -> $UNUSED any (msg:"TCP Port Scan";) 
block udp any any -> $UNUSED any (msg:"UDP Port Scan";) 
block icmp any any -> $UNUSED any (msg:"ICMP Scan";) 

$UNUSED includes all unused IP address, defined in snort.conf with
[x.x.x.a,x.x.x.b,x.x.x.c] etc. 


Regards, 
Frank 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 350 bytes
Desc: This is a digitally signed message part
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20020308/6cb45378/attachment.sig>


More information about the Snort-users mailing list