[Snort-users] VERY simple 'virtual' honeypot

Williams Jon WilliamsJon at ...2134...
Fri Mar 8 09:29:04 EST 2002


Ah.  Here's a Snort performance warning.  It turns out that using the
[x.x.x.x/24,y.y.y.y/24] notation in snort is a real performance hog.  I ran
a test where I used tcpdump to capture 20 minutes of our production traffic
and then had snort read in that file.  When I used the [...] construct, it
took 113 minutes to process all 11,999,547 packets, but when I broke out
each net as follows:
   var HOME_NET 1.1.1.1/24
   var EXTERNAL !$HOME_NET
   include rules.conf
   var HOME_NET 2.2.2.2/24
   var EXTERNAL !$HOME_NET
   include rules.conf
   ...
   var HOME_NET x.x.x.x/24
it only took 32 minutes.  Basically, it took less time to process 7797 rules
in 1029 chain headers than it did to process 887 rules in 805 chain headers.

Jon

-----Original Message-----
From: Frank Knobbe [mailto:fknobbe at ...652...]
Sent: Friday, March 08, 2002 10:37 AM
To: Lance Spitzner
Cc: Snort-Users (E-mail); honeypots at ...35...
Subject: Re: [Snort-users] VERY simple 'virtual' honeypot


On Thu, 2002-03-07 at 22:34, Lance Spitzner wrote:
> However, I was just thinking, why bother deploying the box?
> Why not create a list of Snort rules that generate an alert
> whenever a TCP/SYN packet or UDP packet is sent to an IP
> address that has no system?  This could incidate a probe,
> scan or attack, the same principles of a honeypot, but
> without deploying an actual system.


Not really a long list. Here is what I use:

block tcp any any -> $UNUSED any (msg:"TCP Port Scan";)
block udp any any -> $UNUSED any (msg:"UDP Port Scan";)
block icmp any any -> $UNUSED any (msg:"ICMP Scan";)

$UNUSED includes all unused IP address, defined in snort.conf with
[x.x.x.a,x.x.x.b,x.x.x.c] etc.


Regards,
Frank






More information about the Snort-users mailing list