[Snort-users] VERY simple 'virtual' honeypot

Martin Roesch roesch at ...1935...
Fri Mar 8 19:25:03 EST 2002

A couple thoughts on the topic...

1) Just watching unused IP/port space with a set of rules is what I usually
call "trap rules", rules that trap packets going places they shouldn't be.
This is a poor man's honeypot and it's very good at picking up scans, port
probes and general noise on the network.  It's not all that great at doing
the primary thing that honeypots are good at when used in a production role
as network intrusion detection auxiliaries that let you gauge the intent of
an attacker.

The idea for trap rules came from a paper that Marcus Ranum wrote a year or
two back about "playing the home field advantage" and using the knowledge of
your network that you inherently have as the admin to setup monitoring
capabilities that will monitor the dead spaces on a network.

2) For people with money, there's a product out there from a company called
ForeScout that does active jamming of scanners.  When I talk about active
jamming, I'm referring to it in the electronic warfare sense.  What
ForeScout's product (ActiveScout) does is watch for scanning activity and
send out false responses to project false targets back to an attacker
performing recon.  This works conceptually in the same way that some active
radar jammers do, generating false targets at the attacker's workstation and
causing havoc with his targeting (i.e. Finding out which targets are real so
that you can launch an attack).

I found this to be an extremely nifty idea although I don't know how well
they've implemented it.  It might be entertaining to modify the active
response mechanisms in Snort to do something similar...

For more info on these topics, search for various rants from me containing
keywords like "production honeypot vs. research honeypot", "packet traps"
and "no hardware no cry". :)


On 3/7/02 11:34 PM, "Lance Spitzner" <lance at ...2024...> wrote:

> Most honeypots work on the same concept, a system that has no
> production activity.  You deploy a box that has no production
> value, any packets going to that box indicate a probe, scan, or
> attack.  This helps reduce both false positives and false
> negatives.  Exampls of such honeypots include BackOfficer Friendly,
> DTK, ManTrap, Specter, and Honeynets.
> However, I was just thinking, why bother deploying the box?
> Why not create a list of Snort rules that generate an alert
> whenever a TCP/SYN packet or UDP packet is sent to an IP
> address that has no system?  This could incidate a probe,
> scan or attack, the same principles of a honeypot, but
> without deploying an actual system.
> Of course this does not give you the Data Capture capabilites
> of a honeypot, as there is no system for the attacker to
> interact with.  However, this could be used to help detect
> scanning or probing activity.
> Thoughts?

Martin Roesch - Founder/CEO Sourcefire Inc. - (410) 552-6999
Sourcefire: Professional Snort Sensor and Management Console appliances
roesch at ...1935... - http://www.sourcefire.com
Snort: Open Source Network IDS - http://www.snort.org

More information about the Snort-users mailing list