[Snort-users] VERY simple 'virtual' honeypot

James Hoagland hoagland at ...47...
Fri Mar 8 08:56:15 EST 2002

At 10:34 PM -0600 3/7/02, Lance Spitzner wrote:
>Most honeypots work on the same concept, a system that has no
>production activity.  You deploy a box that has no production
>value, any packets going to that box indicate a probe, scan, or
>attack.  This helps reduce both false positives and false
>negatives.  Exampls of such honeypots include BackOfficer Friendly,
>DTK, ManTrap, Specter, and Honeynets.
>However, I was just thinking, why bother deploying the box?
>Why not create a list of Snort rules that generate an alert
>whenever a TCP/SYN packet or UDP packet is sent to an IP
>address that has no system?  This could incidate a probe,
>scan or attack, the same principles of a honeypot, but
>without deploying an actual system.
>Of course this does not give you the Data Capture capabilites
>of a honeypot, as there is no system for the attacker to
>interact with.  However, this could be used to help detect
>scanning or probing activity.

Hello Lance,

This is basically what Spade does.  In addition it catches to unused 
or rarely used ports on valid IPs.  Basically how it operates is that 
it keeps a summary record of packets (by default the dest IP and dest 
port combo) it has seen.  From that it can assign an anomaly score 
based on the unusualness of a new packet.  For more details, you 
might be interested in reading our "Practical Automated Detection of 
Stealthy Portscans" paper on Silicon Defense's web site:


Stuart wrote a pretty good section (IMHO) in this about stealthy 
portscans, scan footprints, etc.  You can also read how we got Spade 
to be as fast as it is.  (Running Snort Spade-only on our local 
office's server processed a file of 1.25 million SYN packets in a 
little over a minute.  YMMV of course.)

Best regards,


|*      Jim Hoagland, Associate Researcher, Silicon Defense      *|
|*            --- Silicon Defense: IDS Solutions ---             *|
|*  hoagland at ...47..., http://www.silicondefense.com/  *|
|*   Voice: (530) 756-7317                 Fax: (530) 756-7297   *|

More information about the Snort-users mailing list