[Snort-users] VERY simple 'virtual' honeypot
ofir at ...949...
Sat Mar 9 04:53:02 EST 2002
In my opinion it will be missing the main point of a Honeynet.
We all know that we can cut the foreplay pretty fast (scanning, probing)
and hit the site with an exploit even without the scanning attempt (read
this in the context :P). But than what? Exploit fails, not much
information gained, and we miss the funny part.
Just my thoughts.
Ofir Arkin [ofir at ...949...]
The Sys-Security Group
PGP CC2C BE53 12C6 C9F2 87B1 B8C6 0DFA CF2D D360 43FA
From: snort-users-admin at lists.sourceforge.net
[mailto:snort-users-admin at lists.sourceforge.net] On Behalf Of Lance
Sent: 08 March 2002 04:34
To: Snort-Users (E-mail); honeypots at ...35...
Subject: [Snort-users] VERY simple 'virtual' honeypot
Most honeypots work on the same concept, a system that has no
production activity. You deploy a box that has no production
value, any packets going to that box indicate a probe, scan, or
attack. This helps reduce both false positives and false
negatives. Exampls of such honeypots include BackOfficer Friendly,
DTK, ManTrap, Specter, and Honeynets.
However, I was just thinking, why bother deploying the box?
Why not create a list of Snort rules that generate an alert
whenever a TCP/SYN packet or UDP packet is sent to an IP
address that has no system? This could incidate a probe,
scan or attack, the same principles of a honeypot, but
without deploying an actual system.
Of course this does not give you the Data Capture capabilites
of a honeypot, as there is no system for the attacker to
interact with. However, this could be used to help detect
scanning or probing activity.
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
Snort-users list archive:
More information about the Snort-users