[Snort-users] IDS and Honeypots

dreamwvr at ...5273... dreamwvr at ...5273...
Sun Mar 10 13:14:02 EST 2002


On Fri, Mar 08, 2002 at 06:15:07AM -0800,
+snort-users-request at lists.sourceforge.net wrote:
>
> Of course this does not give you the Data Capture capabilites
> of a honeypot, as there is no system for the attacker to
> interact with.  However, this could be used to help detect
> scanning or probing activity.
>
> Thoughts?
>
  Hi,
          Well Maybe/Maybe not it depends. One way it could be
integrated. Add a optional method/function that handles a response
to the injected
attack string. Then return the expected result. Then Snort adds
this to the rule syntax. voila.

IOW it if need be opens a rand socket
that is not bidirectional and injects the response or something
like that.. That would work for UDP anyhow.. TCP well then you
need to complete the triple play. However it could be handled
in a simular fashion. that way it might narrow the exact characteristics

of a threat for better analysis. The concept of the
virtual machine comes to mind however the sandbox would need to
be somthing like a write once cd for example. Well need coffee
very_badly bye.

Best Regards,
dreamwvr at ...5274...


--
/*  Security is a work in progress - dreamwvr                 */
#
# Note: To begin Journey type man afterboot,man help,man hier[.]
#
// "Who's Afraid of Schrodinger's Cat?" /var/(.)?mail/me \?  ;-]


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20020310/7eb1f7c4/attachment.html>


More information about the Snort-users mailing list