OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: James Hoagland (hoaglandSiliconDefense.com)
Date: Fri Mar 08 2002 - 10:55:31 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    At 10:34 PM -0600 3/7/02, Lance Spitzner wrote:
    >Most honeypots work on the same concept, a system that has no
    >production activity. You deploy a box that has no production
    >value, any packets going to that box indicate a probe, scan, or
    >attack. This helps reduce both false positives and false
    >negatives. Exampls of such honeypots include BackOfficer Friendly,
    >DTK, ManTrap, Specter, and Honeynets.
    >
    >However, I was just thinking, why bother deploying the box?
    >Why not create a list of Snort rules that generate an alert
    >whenever a TCP/SYN packet or UDP packet is sent to an IP
    >address that has no system? This could incidate a probe,
    >scan or attack, the same principles of a honeypot, but
    >without deploying an actual system.
    >
    >Of course this does not give you the Data Capture capabilites
    >of a honeypot, as there is no system for the attacker to
    >interact with. However, this could be used to help detect
    >scanning or probing activity.
    >
    >Thoughts?

    Hello Lance,

    This is basically what Spade does. In addition it catches to unused
    or rarely used ports on valid IPs. Basically how it operates is that
    it keeps a summary record of packets (by default the dest IP and dest
    port combo) it has seen. From that it can assign an anomaly score
    based on the unusualness of a new packet. For more details, you
    might be interested in reading our "Practical Automated Detection of
    Stealthy Portscans" paper on Silicon Defense's web site:

       http://www.silicondefense.com/research/pubs.htm

    Stuart wrote a pretty good section (IMHO) in this about stealthy
    portscans, scan footprints, etc. You can also read how we got Spade
    to be as fast as it is. (Running Snort Spade-only on our local
    office's server processed a file of 1.25 million SYN packets in a
    little over a minute. YMMV of course.)

    Best regards,

       Jim 

    -- 
|*      Jim Hoagland, Associate Researcher, Silicon Defense      *|
|*            --- Silicon Defense: IDS Solutions ---             *|
|*  hoaglandSiliconDefense.com, http://www.silicondefense.com/  *|
|*   Voice: (530) 756-7317                 Fax: (530) 756-7297   *|

    ---------------------------------------------------------------------
To unsubscribe, e-mail: honeypots-unsubscribesecurityfocus.com
For additional commands, e-mail: honeypots-helpsecurityfocus.com
---------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert
(SIA) Service. For more information on SecurityFocus' SIA service
which automatically alerts you to the latest security vulnerabilities. 
Please, see: https://alerts.securityfocus.com/