[Snort-users] VERY simple 'virtual' honeypot

James Hoagland hoagland at ...47...
Fri Mar 8 08:56:15 EST 2002


At 10:34 PM -0600 3/7/02, Lance Spitzner wrote:
>Most honeypots work on the same concept, a system that has no
>production activity.  You deploy a box that has no production
>value, any packets going to that box indicate a probe, scan, or
>attack.  This helps reduce both false positives and false
>negatives.  Exampls of such honeypots include BackOfficer Friendly,
>DTK, ManTrap, Specter, and Honeynets.
>
>However, I was just thinking, why bother deploying the box?
>Why not create a list of Snort rules that generate an alert
>whenever a TCP/SYN packet or UDP packet is sent to an IP
>address that has no system?  This could incidate a probe,
>scan or attack, the same principles of a honeypot, but
>without deploying an actual system.
>
>Of course this does not give you the Data Capture capabilites
>of a honeypot, as there is no system for the attacker to
>interact with.  However, this could be used to help detect
>scanning or probing activity.
>
>Thoughts?

Hello Lance,

This is basically what Spade does.  In addition it catches to unused 
or rarely used ports on valid IPs.  Basically how it operates is that 
it keeps a summary record of packets (by default the dest IP and dest 
port combo) it has seen.  From that it can assign an anomaly score 
based on the unusualness of a new packet.  For more details, you 
might be interested in reading our "Practical Automated Detection of 
Stealthy Portscans" paper on Silicon Defense's web site:

   http://www.silicondefense.com/research/pubs.htm

Stuart wrote a pretty good section (IMHO) in this about stealthy 
portscans, scan footprints, etc.  You can also read how we got Spade 
to be as fast as it is.  (Running Snort Spade-only on our local 
office's server processed a file of 1.25 million SYN packets in a 
little over a minute.  YMMV of course.)

Best regards,

   Jim


-- 
|*      Jim Hoagland, Associate Researcher, Silicon Defense      *|
|*            --- Silicon Defense: IDS Solutions ---             *|
|*  hoagland at ...47..., http://www.silicondefense.com/  *|
|*   Voice: (530) 756-7317                 Fax: (530) 756-7297   *|




More information about the Snort-users mailing list