[Discussion] Hooks for Other than Blocking

Matt Jonkman jonkman at jonkmans.com
Sun Dec 21 18:22:20 UTC 2008


What if we were to integrate something like nepenthes into this? As a
side module,. Instead of redirecting traffic to some other place, why
nit just ingest it and let nepenthes generate faked responses?

So for instance we see a highly reliable netbios attack from an internal
host to another internal host. We then take all future traffic from the
attacker and push it into the nepenthes module for say 60 seconds. If
nepenthes reports real exploitation then we generate big red flashing
lights and continue to interfere with/drop all future traffic from that
attacker.

If nepenthes does not report exploitation we turn the redirect off and
let the alleged attacker go on their way, hopefully with only a minor
burp in network connectivity.

Matt

Thorsten Holz wrote:
> On 19.12.2008, at 21:17, Matt Jonkman wrote:
> 
>> I like this idea a lot as well. Snort bait n switch style, redirect an
>> attacker to a honeypot.
> 
> I like that idea, too! Could be interesting to divert traffic based on  
> certain characteristics. We played with bait 'n switch in the past and  
> could use it for several honeypot setups.
> 
> Cheers,
>    Thorsten
> _______________________________________________
> Discussion mailing list
> Discussion at openinfosecfoundation.org
> http://lists.openinfosecfoundation.org/mailman/listinfo/discussion

-- 
--------------------------------------------
Matthew Jonkman
Emerging Threats
Phone 765-429-0398
Fax 312-264-0205
http://www.emergingthreats.net
--------------------------------------------

PGP: http://www.jonkmans.com/mattjonkman.asc





More information about the Discussion mailing list