Using an IDS to redirect hostile traffic to a Honeypot
From: Jack Whitsitt (jofny) (xaphan@violating.us)
Date: 02/23/03
- Previous message: Gene Yoo: "Re: Protocol Anomaly Detection IDS - Honeypots"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Sat, 22 Feb 2003 21:18:26 -0500 (EST) From: "Jack Whitsitt (jofny)" <xaphan@violating.us> To: <honeypots@securityfocus.com>, <snort-users@lists.sourceforge.net>, <members@violating.us>, <focus-ids@securityfocus.com>
All:
For a few months I've been looking for a more interesting way to make an
IDS interactive than just dropping route or resetting sessions. What
we've come up with is some code for linux that will, in combination with
snort, actively redirect traffic from hostile sourceIP's to a honeypot.
Using this system, you can set up a production server and a honeypot -
both with the same IP (and potentially the same MAC) address - behind a
gateway box and let snort decide which machine the traffic goes to.
Files and information can be found at:
http://violating.us/projects/baitnswitch/
or
http://baitnswitch.sourceforge.net
There are certain things I need to point out:
1. B&S does not mirror session state right now. There are important
non-technical reasons for *not* doing so, but we're looking into resolving
them over the next few months.
2. Your snort ruleset on the gateway/routing box needs to be very specific
and very toned down. It's not meant to be your primary IDS and it's not
meant to replace a good firewall. It is an *additional* layer of network
security. In recent emails I've seen talk about honeytokens. This would
be a very good way to react to seeing those tokens pass through your
system. You should never see xxxx.doc or "root" pass through your
traffic? Redirect the source IP to your honeypot.
3. This is for information that people are going to make repeated
attempts against. This is not good for your scan-the-world kids. However,
since it does drop all sessions from the hostile source IP, you're not
worse off than you are than if you're just dropping route. In fact, you
can potentially gain more information about the intruder if they choose to
return - they'll be going to your honeypot now.
4. The code is listed as beta, but that is mostly due to configuration and
interface features I'd like to add in the short-term. The code works with
no known bugs as-is, although we're going to harden the code in the next
releases.
Those things said, hopefully this system will be useful to some people
or (at the very least) provide some interesting suggestions as to how
IDS's and Honeypot technology can be combined.
Have a good day -
Jack Whitsitt (jofny)
-------------------------------------------
xaphan@violating.us | electr0n@violating.us
Violating Networks
http://www.violating.us
-------------------------------------------
-----------------------------------------------------------
<Pre>Lose another weekend managing your IDS?
Take back your personal time.
15-day free trial of StillSecure Border Guard.</Pre>
<A href="http://www.securityfocus.com/stillsecure"> http://www.securityfocus.com/stillsecure </A>
- Next message: Lance Spitzner: "Re: RES: Protocol Anomaly Detection IDS - Honeypots"
- Previous message: Gene Yoo: "Re: Protocol Anomaly Detection IDS - Honeypots"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
