[Snort-users] Re: VERY simple 'virtual' honeypot

George Bakos gbakos at ...5269...
Fri Mar 8 16:03:04 EST 2002


Using iptables and nc, you not only don't need a box, but can pull 
initial commands, as well:

iptables -t nat -A PREROUTING -p tcp -d <unused ip address(es)> -j 
REDIRECT --to-ports 6666
while true; do nc -w 2 -l -p 6666 2>/dev/null >> /var/log/datafile; done

The connection is established, and only survives while there is data 
present.  Snort can pull the whole kit 'n kaboodle and you can ditch the 
redirect, unless you like redundancy.  You might want to mark time in the 
datafile, to aid in correlation.

If you aren't comfortable with netcat, any listener will do.

On 7 Mar 2002 at 22:34, thus spake Lance Spitzner:

> Of course this does not give you the Data Capture capabilites
> of a honeypot, as there is no system for the attacker to
> interact with.  However, this could be used to help detect
> scanning or probing activity.
> Thoughts?
 Any sufficiently advanced technology 
 is indistinguishable from magic.
 Arthur C. Clarke
 George Bakos
 alpinista at ...375...

More information about the Snort-users mailing list