[Snort-users] Basic honeypot setup with Snort

J Doe general at ...17107...
Fri May 19 16:41:50 EDT 2017


I currently have a host that I would like to turn into a honeypot.  As a basic, first step, I'd like to capture the initial packet of a SMB request (port 445).

As it stands right now, my firewall blocks that port and the honeypot is neither Windows or *nix with samba running.  I am aware that I need to open port 445 so the three way handshake can take place and then the attacking machine will send the first SMB packet  which can then be analyzed by Snort, but I'm wondering what software I can run to simply allow the first packet to be received.

I don't want to run samba as I don't actually want to receive random files and I don't currently have the time to code a listening service that leverages the samba library.  What do other security practitioners do to make the port available for an initial packet ?  Is it customary to run something like netcat on that port ?  If so, can anyone recommend best practices for hardening the configuration of that software (ie: run netcat in a Docker container, etc.).

For reference, the honeypot will use Ubuntu 16.04 LTS, firewall via iptables and Snort version

Thanks for your help,

- J

More information about the Snort-users mailing list