[Snort-users] VERY simple 'virtual' honeypot

Jason Robertson jason at ...3161...
Sat Mar 9 08:15:02 EST 2002

Anyways I don't know if I will be stepping on anyones feet, so if I 
am.. I hope you are wearing steel-toed boots..  Because this comfy 
gov't job has made me fat and.... oh okay, enough with the joking at my 

Anyways, isn't the purpose of a honeynet not only to monitor attempted 
traffic, but to monitor direct attacks and to attain evidence when a 
person has breached the security of a machine or network?  What 
evidence do you have that they portscanned your machine?  especially if 
they break into the system anyways.  

The purpose of a honeypot, is to give an idea of a vulnerable system, 
to see what they do.  Some of these various analysis of some of these 
trojans, and rootkits wouldn't exists without the use of honeypots, 
since these machines give just enough access to allow someone to gain 
access and to put all kinds of backholes into the system, but not 
enough to actually be useful.


On 8 Mar 2002 at 22:23, Martin Roesch wrote:

Date sent:      	Fri, 08 Mar 2002 22:23:21 -0500
Subject:        	Re: [Snort-users] VERY simple 'virtual' honeypot
From:           	Martin Roesch <roesch at ...1935...>
To:             	Lance Spitzner <lance at ...2024...>,
  	"Snort-Users (E-mail)" <snort-users at lists.sourceforge.net>,
  	<honeypots at ...35...>

> A couple thoughts on the topic...
> 1) Just watching unused IP/port space with a set of rules is what I usually
> call "trap rules", rules that trap packets going places they shouldn't be.
> This is a poor man's honeypot and it's very good at picking up scans, port
> probes and general noise on the network.  It's not all that great at doing
> the primary thing that honeypots are good at when used in a production role
> as network intrusion detection auxiliaries that let you gauge the intent of
> an attacker.
> The idea for trap rules came from a paper that Marcus Ranum wrote a year or
> two back about "playing the home field advantage" and using the knowledge of
> your network that you inherently have as the admin to setup monitoring
> capabilities that will monitor the dead spaces on a network.
> 2) For people with money, there's a product out there from a company called
> ForeScout that does active jamming of scanners.  When I talk about active
> jamming, I'm referring to it in the electronic warfare sense.  What
> ForeScout's product (ActiveScout) does is watch for scanning activity and
> send out false responses to project false targets back to an attacker
> performing recon.  This works conceptually in the same way that some active
> radar jammers do, generating false targets at the attacker's workstation and
> causing havoc with his targeting (i.e. Finding out which targets are real so
> that you can launch an attack).
> I found this to be an extremely nifty idea although I don't know how well
> they've implemented it.  It might be entertaining to modify the active
> response mechanisms in Snort to do something similar...
> For more info on these topics, search for various rants from me containing
> keywords like "production honeypot vs. research honeypot", "packet traps"
> and "no hardware no cry". :)
>      -Marty
> On 3/7/02 11:34 PM, "Lance Spitzner" <lance at ...2024...> wrote:
> > Most honeypots work on the same concept, a system that has no
> > production activity.  You deploy a box that has no production
> > value, any packets going to that box indicate a probe, scan, or
> > attack.  This helps reduce both false positives and false
> > negatives.  Exampls of such honeypots include BackOfficer Friendly,
> > DTK, ManTrap, Specter, and Honeynets.
> > 
> > However, I was just thinking, why bother deploying the box?
> > Why not create a list of Snort rules that generate an alert
> > whenever a TCP/SYN packet or UDP packet is sent to an IP
> > address that has no system?  This could incidate a probe,
> > scan or attack, the same principles of a honeypot, but
> > without deploying an actual system.
> > 
> > Of course this does not give you the Data Capture capabilites
> > of a honeypot, as there is no system for the attacker to
> > interact with.  However, this could be used to help detect
> > scanning or probing activity.
> > 
> > Thoughts?
> -- 
> Martin Roesch - Founder/CEO Sourcefire Inc. - (410) 552-6999
> Sourcefire: Professional Snort Sensor and Management Console appliances
> roesch at ...1935... - http://www.sourcefire.com
> Snort: Open Source Network IDS - http://www.snort.org

Jason Robertson                
Now at the Nation Research Council.

More information about the Snort-users mailing list