[Snort-users] VERY simple 'virtual' honeypot
goemon at ...20...
Sat Mar 9 06:00:06 EST 2002
On Sat, 9 Mar 2002, Ofir Arkin wrote:
> In my opinion it will be missing the main point of a Honeynet.
> We all know that we can cut the foreplay pretty fast (scanning, probing)
> and hit the site with an exploit even without the scanning attempt (read
> this in the context :P). But than what? Exploit fails, not much
> information gained, and we miss the funny part.
If we setup a wide network of trusted, distributed sensors, then we can
setup an auto-countermeasures system. Eg blackhole routing those networks
which originate scanning attacks which are detected at N or more sensors.
Only TCP scans with full TCP handshakes would be used, since udp can be
spoofed. A nice sensor net of labreas geographically distributed would
make a nice countermeasures net.
Of course to be *really* effective, a number of exchange points or a large
number of individual peers would have to subscribe into the blackhole
[-] Omae no subete no kichi wa ore no mono da. [-]
More information about the Snort-users