[Snort-users] Re: VERY simple 'virtual' honeypot

Dug Song dugsong at ...5264...
Fri Mar 8 08:49:10 EST 2002


On Fri, Mar 08, 2002 at 08:19:11AM -0500, Ron Gula wrote:

> Dragon Sensor can use this info to look for traffic to non-existant
> hosts, and traffic to non-existant services on active hosts. Besides
> being a good honeypot, it is also an excellent trickle scan detection
> engine. Scalability is roughyly at the DMZ/class-c level. 

at Arbor Networks, we've been doing this kind of blackhole monitoring
as well, but on an unused, globally-announced class A network:

	http://research.arbor.net/up_media/up_files/snapshot_worm_activity.pdf

monitoring an entire /8, you see lots of interesting things, including:

	- constant worm infection attempts (see the paper above)
	- backscatter from victims of source-spoofed DDoS attacks
	- widespread host scans for the vulnerability du jour (FTP,
	  dtspcd, SSH, etc. - you name it, we see it)
	- random Internet flotsam and jetsam i have yet to figure out (!)

if there's enough interest, we might release the software we've
written to capture, reassemble, and characterize this traffic
(tentatively called "MasterBaiter" :-)

if our marketing folks don't kill me first...

-d.

---
http://www.monkey.org/~dugsong/




More information about the Snort-users mailing list