Re: VERY simple 'virtual' honeypot

["Kurt Seifried" <bugtraq () seifried org>]

Kind of, it simply sends reponses, but holds the tcp window open for as long
as possible, the theory being that if a sizable percentage of people ran
labrea scans, probes and attacks would take a lot longer. Problem is most
scans can simply have a timeout (--host_timeout in nmap) and attacks won't
really care since most are automated (ala code red/nimda). What would helps
is if you have a network, someone scans it stealthily (let's say 1 packet
per day), when they try to attack they will end up attacking non-existent
services/systems hopefully creating more noise that you can catch.
Ultimately if you can a netblock and every single address responds with
let's say 10 ports open attacking them is going to be very very noisy.

Problem with Labrea is it really only works if lots and lots of people
deploy it. With something like fake scan answers that immediately helps
protect you.

Kurt Seifried, kurt () seifried org
A15B BEE5 B391 B9AD B0EF
AEB0 AD63 0B4E AD56 E574
http://seifried.org/security/
http://www.idefense.com/digest.html

----- Original Message -----
From: "Thomas Porter, Ph.D." <tporter () dtool com>
To: "'Kurt Seifried'" <bugtraq () seifried org>; "'Lance Spitzner'"
<lance () honeynet org>; "'Snort-Users (E-mail)'"
<snort-users () lists sourceforge net>; <honeypots () securityfocus com>
Sent: Thursday, March 07, 2002 10:12 PM
Subject: RE: VERY simple 'virtual' honeypot


> Doesn't Labrae work on this principal?
>
> Thomas Porter, Ph.D.
> ScorpionPoint Security




_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users