[Snort-users] VERY simple 'virtual' honeypot

Fyodor fygrave at ...121...
Sat Mar 9 05:15:03 EST 2002


Ofir Arkin <ofir at ...949...> spoke:
> Lance, 
> 
> In my opinion it will be missing the main point of a Honeynet.
> 
> We all know that we can cut the foreplay pretty fast (scanning, probing)
> and hit the site with an exploit even without the scanning attempt (read
> this in the context :P). But than what? Exploit fails, not much
> information gained, and we miss the funny part.
> 
> address that has no system?  This could incidate a probe,
> scan or attack, the same principles of a honeypot, but
> without deploying an actual system.
> 

No, you actually would miss the most interesting part here: aside from
knowing what is being scanned for, we usually also want to know which
vulnerabilities are being exploited. This you get by
reverse-enigineering the byte stream off the wire when an attack took
place. If you don't have any system/service running, you won't see the
interesting part :-) (very a few kids in the wild would run their warez
on IP addresses which they are even unsure whether these are up ;-)),
and even if they do, a smart TCP/IP stack implementation won't start
sending data stream, unless an ack has been received ;-))

What could be an option here is to 'emulate' a tcp/ip stack on the wire,
by sniffing requests to non-existant IP addresses, and spoofing
responses. This would be a kick-ass pot since no matter whichever IP
address you'd try to hit, or whichever service, you'd always get a
response back :-) (add some random packet 'drops' here, so 'all host/all
ports' picture wouldn't look that suspicious ;-))


just my B.02 worth comments ;-)

-Fyodor




More information about the Snort-users mailing list