[Snort-users] RE: VERY simple 'virtual' honeypot

Michael Clark mike at ...2024...
Fri Mar 8 11:11:08 EST 2002


This leads me to an idea I had a bit ago.  How to capture everything even
when you do not have something listening on the port.  You could run
netcat,  but you can only really listen on so many ports.  So you could
modify Hogwash (or another gateway device)  to pickup RST's coming from
your internal network and craft ACK packets and such.  You can then do
some crude NAT to direct all the packets to some other machine/port that
has a listener.  So this way if you get a TCP connection on 12348 and its
not open on the honeypot, you can fool the connection into thinking it is
and maybe get some data.

Now This is all just ideas and might not even be possible :)

Mike





More information about the Snort-users mailing list