Snort mailing list archives

Previous By Date Next
Previous By Thread Next

RE: VERY simple 'virtual' honeypot

From: Dan Hollis <goemon () anime net>
Date: Sat, 9 Mar 2002 05:59:40 -0800 (PST)
On Sat, 9 Mar 2002, Ofir Arkin wrote:

In my opinion it will be missing the main point of a Honeynet.
We all know that we can cut the foreplay pretty fast (scanning, probing)
and hit the site with an exploit even without the scanning attempt (read
this in the context :P). But than what? Exploit fails, not much
information gained, and we miss the funny part.


If we setup a wide network of trusted, distributed sensors, then we can 
setup an auto-countermeasures system. Eg blackhole routing those networks 
which originate scanning attacks which are detected at N or more sensors.

Only TCP scans with full TCP handshakes would be used, since udp can be 
spoofed. A nice sensor net of labreas geographically distributed would
make a nice countermeasures net.

Of course to be *really* effective, a number of exchange points or a large 
number of individual peers would have to subscribe into the blackhole
list.

-Dan
-- 
[-] Omae no subete no kichi wa ore no mono da. [-]


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: