[Snort-users] re: VERY simple 'virtual' honeypot

Wynn Fenwick wfenwick at ...2714...
Sat Mar 9 11:56:04 EST 2002

An excellent discussion... I'm learning a lot.

It seems to me that a honeypot is primarily a research tool, for analysis of stimulus/response and to study the
relationship between types of compound attacks and the threat level to which these compound attacks correlate. It's
easy to make that correlation with single, simple vulnerability exploits. When many small exploits of vulnerabilities
snowball into a complex attack, it's really hard. This is what Honeypots are good at linking together with the data
they provide.

Reasearch Honeypots are one of those things definitely in the "nice to have" for most mortal organizations unless
they are actively involved in security superhero R&D. Most organizations have enough trouble getting firewall rules
maintained, and staffing funded to maintain the preventative infrastructure, IMHO. I could see selling the idea of a
Labrea-ish Honeypot to make them skate in cheese a bit, but the cost/benefit would be very hard to prove to
management. It might increase the latency between a scan and a real attack in time for someone to react/prevent
against the attack more effectively, but how do you prove that in Powerpoint?

The stuff Marty is talking about doing is more of an tactical obfuscation tool - a safeguard which reduces the risk
of an outsider identifying the type of safeguard actually in place. Creating entropy in the reachablility profile
data of a network would simply obfuscate the network landscape from the outside. It's like publishing intentional
erroneous topographical maps, assuming the enemy would use that to create their battle plan, and no other intel they

This works until the attacker knows that this information is bogus, and they then need use other sources of
information. You've simply told them "hey we're running a jammer here", and no one will trust the information gleaned
from an external network reachability profiler.

It will keep the kiddies busy...and increase the cost of the information to the attacker. As one client says "if
there is bang for the buck, let's do it"... low cost to us creating high cost to the attacker is a Good Thing.

I think this would be better as a separate tool rather than bound to my IDS, which I prefer to thnk of as a passive
I&W system. However, I can see implementing this and getting "bang for the buck", if I was ever going to implement
active response in my IDS.

Total donation: C$0.02


snort-users-request at lists.sourceforge.net wrote:

> Subject: Re: [Snort-users] VERY simple 'virtual' honeypot
> Date: Sat, 9 Mar 2002 11:16:43 -0500
> From: "Jason Robertson" <jason at ...3161...>
> Organization: iFuture Inc.
> To: <snort-users at lists.sourceforge.net>
> References: <Pine.LNX.4.30.0203072228320.25075-100000 at ...435...>
> Anyways I don't know if I will be stepping on anyones feet, so if I
> am.. I hope you are wearing steel-toed boots..  Because this comfy
> gov't job has made me fat and.... oh okay, enough with the joking at my
> expense.
> Anyways, isn't the purpose of a honeynet not only to monitor attempted
> traffic, but to monitor direct attacks and to attain evidence when a
> person has breached the security of a machine or network?  What
> evidence do you have that they portscanned your machine?  especially if
> they break into the system anyways.
> The purpose of a honeypot, is to give an idea of a vulnerable system,
> to see what they do.  Some of these various analysis of some of these
> trojans, and rootkits wouldn't exists without the use of honeypots,
> since these machines give just enough access to allow someone to gain
> access and to put all kinds of backholes into the system, but not
> enough to actually be useful.
> Jason
> On 8 Mar 2002 at 22:23, Martin Roesch wrote:
> Date sent:              Fri, 08 Mar 2002 22:23:21 -0500
> Subject:                Re: [Snort-users] VERY simple 'virtual' honeypot
> From:                   Martin Roesch <roesch at ...1935...>
> To:                     Lance Spitzner <lance at ...2024...>,
>         "Snort-Users (E-mail)" <snort-users at lists.sourceforge.net>,
>         <honeypots at ...35...>
> > A couple thoughts on the topic...
> >
> > 1) Just watching unused IP/port space with a set of rules is what I usually
> > call "trap rules", rules that trap packets going places they shouldn't be.
> > This is a poor man's honeypot and it's very good at picking up scans, port
> > probes and general noise on the network.  It's not all that great at doing
> > the primary thing that honeypots are good at when used in a production role
> > as network intrusion detection auxiliaries that let you gauge the intent of
> > an attacker.
> >
> > The idea for trap rules came from a paper that Marcus Ranum wrote a year or
> > two back about "playing the home field advantage" and using the knowledge of
> > your network that you inherently have as the admin to setup monitoring
> > capabilities that will monitor the dead spaces on a network.
> >
> > 2) For people with money, there's a product out there from a company called
> > ForeScout that does active jamming of scanners.  When I talk about active
> > jamming, I'm referring to it in the electronic warfare sense.  What
> > ForeScout's product (ActiveScout) does is watch for scanning activity and
> > send out false responses to project false targets back to an attacker
> > performing recon.  This works conceptually in the same way that some active
> > radar jammers do, generating false targets at the attacker's workstation and
> > causing havoc with his targeting (i.e. Finding out which targets are real so
> > that you can launch an attack).
> >
> > I found this to be an extremely nifty idea although I don't know how well
> > they've implemented it.  It might be entertaining to modify the active
> > response mechanisms in Snort to do something similar...
> >
> > For more info on these topics, search for various rants from me containing
> > keywords like "production honeypot vs. research honeypot", "packet traps"
> > and "no hardware no cry". :)
> >
> >      -Marty
> >
> >

More information about the Snort-users mailing list