[Snort-users] RE: VERY simple 'virtual' honeypot

Ashley Thomas athomas at ...3539...
Fri Mar 8 11:20:07 EST 2002


Do you think it is a good idea for an IDS to send out packets
(the fake packets)
I would think that it is best if the IDS remains in the stealth mode
without doing anything "active"

Pls correct me if i am wrong.

-ashley


On Fri, 8 Mar 2002, Alex Collins wrote:

> > > Of course this does not give you the Data Capture capabilites
> > > of a honeypot, as there is no system for the attacker to
> > > interact with.  However, this could be used to help detect
> > > scanning or probing activity.
> >
> > Better yet have snort spoof a reply (i.e. pretend that a valid port is
> > there). Then the attacker comes back later for more giving you more
> > information and wasting more of their time. Then you get a bit of the best
> > of both worlds. I'm sure snort, portsentry or something similar could
> easily
> > be hacked up to do it. Alternative use port redirects on Linux/OpenBSD to
> > redirect stuff for unused networks to a "legit" server that will reply
> with
> > basic stuff.
>
> If you could craft a "reply" routine for snort, that could be actioned over
> a combination of packets, you could then define a range of actions that
> would be useful both from the perspective of a "responsive" IDS (e.g. TCP
> resets) and as a honeypot (e.g. acknowledge packets, send back banners)
> logging further packets that are received.
>
> If this was easily customisable, you could gain information for a wide range
> of systems & services, without needing to have legit honey pots for these.
>
> Alex Collins
>
>
> ****************************************************************************
> The information contained in this email is intended only for the
> use of the intended recipient at the email address to which it
> has been addressed. If the reader of this message is not an
> intended recipient, you are hereby notified that you have received
> this document in error and that any review, dissemination or
> copying of the message or associated attachments is strictly
> prohibited.
>
> If you have received this email in error, please contact the sender
> by return email or call 01793 877777 and ask for the sender and
> then delete it immediately from your system.
>
> Please note that neither Innogy nor the sender accepts any
> responsibility for viruses and it is your responsibility to scan
> attachments (if any).
> *****************************************************************************
>
>
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>





More information about the Snort-users mailing list