[Snort-users] VERY simple 'virtual' honeypot
hoagland at ...47...
Fri Mar 8 08:56:15 EST 2002
At 10:34 PM -0600 3/7/02, Lance Spitzner wrote:
>Most honeypots work on the same concept, a system that has no
>production activity. You deploy a box that has no production
>value, any packets going to that box indicate a probe, scan, or
>attack. This helps reduce both false positives and false
>negatives. Exampls of such honeypots include BackOfficer Friendly,
>DTK, ManTrap, Specter, and Honeynets.
>However, I was just thinking, why bother deploying the box?
>Why not create a list of Snort rules that generate an alert
>whenever a TCP/SYN packet or UDP packet is sent to an IP
>address that has no system? This could incidate a probe,
>scan or attack, the same principles of a honeypot, but
>without deploying an actual system.
>Of course this does not give you the Data Capture capabilites
>of a honeypot, as there is no system for the attacker to
>interact with. However, this could be used to help detect
>scanning or probing activity.
This is basically what Spade does. In addition it catches to unused
or rarely used ports on valid IPs. Basically how it operates is that
it keeps a summary record of packets (by default the dest IP and dest
port combo) it has seen. From that it can assign an anomaly score
based on the unusualness of a new packet. For more details, you
might be interested in reading our "Practical Automated Detection of
Stealthy Portscans" paper on Silicon Defense's web site:
Stuart wrote a pretty good section (IMHO) in this about stealthy
portscans, scan footprints, etc. You can also read how we got Spade
to be as fast as it is. (Running Snort Spade-only on our local
office's server processed a file of 1.25 million SYN packets in a
little over a minute. YMMV of course.)
|* Jim Hoagland, Associate Researcher, Silicon Defense *|
|* --- Silicon Defense: IDS Solutions --- *|
|* hoagland at ...47..., http://www.silicondefense.com/ *|
|* Voice: (530) 756-7317 Fax: (530) 756-7297 *|
More information about the Snort-users