|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Rick Francis (rfrancis
mindspring.com)Date: Fri Mar 08 2002 - 08:13:33 CST
eventually, through honey-code, me-thinks, a
counter-attack system will be developed that
can automate a range of responses to specific
patterns. eventually this could be the
responsibility of the honeypotbot.
rf
-----Original Message-----
From: Lance Spitzner [mailto:lancehoneynet.org]
Sent: 07 March, 2002 10:34 PM
To: Snort-Users (E-mail); honeypotssecurityfocus.com
Subject: VERY simple 'virtual' honeypot
Most honeypots work on the same concept, a system that has no
production activity. You deploy a box that has no production
value, any packets going to that box indicate a probe, scan, or
attack. This helps reduce both false positives and false
negatives. Exampls of such honeypots include BackOfficer Friendly,
DTK, ManTrap, Specter, and Honeynets.
However, I was just thinking, why bother deploying the box?
Why not create a list of Snort rules that generate an alert
whenever a TCP/SYN packet or UDP packet is sent to an IP
address that has no system? This could incidate a probe,
scan or attack, the same principles of a honeypot, but
without deploying an actual system.
Of course this does not give you the Data Capture capabilites
of a honeypot, as there is no system for the attacker to
interact with. However, this could be used to help detect
scanning or probing activity.
Thoughts?
-- Lance Spitzner http://project.honeynet.org--------------------------------------------------------------------- To unsubscribe, e-mail: honeypots-unsubscribe
--------------------------------------------------------------------- To unsubscribe, e-mail: honeypots-unsubscribe
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]