[Snort-users] Re: VERY simple 'virtual' honeypot
gbakos at ...5269...
Fri Mar 8 16:03:04 EST 2002
Using iptables and nc, you not only don't need a box, but can pull
initial commands, as well:
iptables -t nat -A PREROUTING -p tcp -d <unused ip address(es)> -j
REDIRECT --to-ports 6666
while true; do nc -w 2 -l -p 6666 2>/dev/null >> /var/log/datafile; done
The connection is established, and only survives while there is data
present. Snort can pull the whole kit 'n kaboodle and you can ditch the
redirect, unless you like redundancy. You might want to mark time in the
datafile, to aid in correlation.
If you aren't comfortable with netcat, any listener will do.
On 7 Mar 2002 at 22:34, thus spake Lance Spitzner:
> Of course this does not give you the Data Capture capabilites
> of a honeypot, as there is no system for the attacker to
> interact with. However, this could be used to help detect
> scanning or probing activity.
Any sufficiently advanced technology
is indistinguishable from magic.
Arthur C. Clarke
alpinista at ...375...
More information about the Snort-users