Interesting. Is snort acting on a gateway device? Can you redirect that
initial packet to the honeynet? Or does it just direct the rest of the
packets to it.

One issue might be if there isn't a snort rule for an attack, it'd prolly
still go to the production network.

Mike

On Fri, 17 May 2002, Per Loekkemyhr wrote:

> Hi,
>
> We have done something like this with snort.
> A dynamic routing mechanism directs suspicious traffic to our honeypot,
> while "normal" traffic goes to the production system.
>
> Snort inspects the packets and raises alerts according to the rule-set.
> I use a unix socket program which listens for alerts and issues sysem
> commands when things like scans are detected.
> The system commands actually insert new rules in iptables.
> i.e
> I attach a copy of the program which we built on (can't find back the url).
>
> Good luck
>
> Per Loekkemyhr
>
>

---------------------------------------------------------------------
To unsubscribe, e-mail: honeypots-unsubscribesecurityfocus.com
For additional commands, e-mail: honeypots-helpsecurityfocus.com
---------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert
(SIA) Service. For more information on SecurityFocus' SIA service
which automatically alerts you to the latest security vulnerabilities.
Please, see: https://alerts.securityfocus.com/

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]