[Snort-users] VERY simple 'virtual' honeypot

Dan Hollis goemon at ...20...
Sat Mar 9 06:00:06 EST 2002


On Sat, 9 Mar 2002, Ofir Arkin wrote:
> In my opinion it will be missing the main point of a Honeynet.
> We all know that we can cut the foreplay pretty fast (scanning, probing)
> and hit the site with an exploit even without the scanning attempt (read
> this in the context :P). But than what? Exploit fails, not much
> information gained, and we miss the funny part.

If we setup a wide network of trusted, distributed sensors, then we can 
setup an auto-countermeasures system. Eg blackhole routing those networks 
which originate scanning attacks which are detected at N or more sensors.

Only TCP scans with full TCP handshakes would be used, since udp can be 
spoofed. A nice sensor net of labreas geographically distributed would
make a nice countermeasures net.

Of course to be *really* effective, a number of exchange points or a large 
number of individual peers would have to subscribe into the blackhole
list.

-Dan
-- 
[-] Omae no subete no kichi wa ore no mono da. [-]





More information about the Snort-users mailing list