Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: VERY simple 'virtual' honeypot

From: "George Bakos" <gbakos () ists dartmouth edu>
Date: Fri, 8 Mar 2002 19:02:16 -0400
Dude,

Using iptables and nc, you not only don't need a box, but can pull 
initial commands, as well:

iptables -t nat -A PREROUTING -p tcp -d <unused ip address(es)> -j 
REDIRECT --to-ports 6666
while true; do nc -w 2 -l -p 6666 2>/dev/null >> /var/log/datafile; done

The connection is established, and only survives while there is data 
present.  Snort can pull the whole kit 'n kaboodle and you can ditch the 
redirect, unless you like redundancy.  You might want to mark time in the 
datafile, to aid in correlation.

If you aren't comfortable with netcat, any listener will do.

On 7 Mar 2002 at 22:34, thus spake Lance Spitzner:


Of course this does not give you the Data Capture capabilites
of a honeypot, as there is no system for the attacker to
interact with.  However, this could be used to help detect
scanning or probing activity.

Thoughts?

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 Any sufficiently advanced technology 
 is indistinguishable from magic.
 Arthur C. Clarke
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 George Bakos
 alpinista () bigfoot com


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: