OpenBSD Journal

IDS's, Honeypots & little bears named Pooh

Contributed by Dengue on from the catchin-flies-with-honey-instead-of-vinegar dept.

Chris writes : "This isn't exactly an new item, but ever since you had that IDS poll I've been really interested in it. I installed snort and monitor it. I almost wish I had not installed it. We get scanned/probed/attacked at least 20 times a day, all from different IP's. I would have to hire 2 full time people to sort through these and follow up on them. Instead I have tighened up the firewall (OpenBSD of course)and hope nothing bad happens. How do you (and others) deal with these scans and probes? I've considered putting a linux box outside the firewall as a "honeypot" with bogus services on it to draw potential attackers away from firewall. Thanks in advance for any feedback."

I used to have the same problem, start up Snort and watch the alarms go off. In the past, I used to be much more aggressive about tracking abusers down and dealing with them than I am now. What methods are others using to handle cases of IP abuse? Which alarms trigger a response, and which alarms are ignored?

(Comments are closed)


Comments
  1. By Jim Swanson () jrswanson1@hotmail.com on mailto:jrswanson1@hotmail.com

    Um, leaving an open system out for the wolves may seem like a good idea at first, but when someone can launch a DoS from it on to your firewall, you will wish you hadn't. Plus, it could be used against someone else.

  2. By STeve Andre' () andres@msu.edu on mailto:andres@msu.edu

    Unfortunately, I think that scans/probes are going to be a part of life on the net, possibly forever.

    One can go nuts trying to contact all the ISP's where these invasive probes come from, or one can adopt a strategy where such probes don't matter, and get back to having a life once again.

    I prefer the latter approach.

    You aren't going to do anything truely useful by altering the ISP about the vandals probing you; in the event that a vandal strikes pay dirt, one of its victims is rather likely to make noise about them, giving a real (and valid) complaint, instead of just a probe report.

    Ultimately such reports remind me of tilting at digital windmills. Run a secure operating system and be done with the vandals.

  3. By mips () mips@perigord.com on no one

    Snort can help you to detect attacks or intrusions.
    You don't have to 'jump on your chair' at any message from snort, i got hundreds of them every day and i use some tools to view it in a better form than raw one to extract useful informations.
    You can see an example of using snort at http://packetstorm.securify.com/docs/infosec/forensics.kye.html , and you can get some ressources on the snort site to manage it's log files.

    mips

  4. By captain insano () on

    When I used to be the only sysadmin for a mid-sized Canadian ISP, the daily routine of sorting through log scanning-generated email was such an annoying routine, that I eventually stopped sending log snippets and complaints to the sources of attacks/probes, and dealt with real problems.

    What I think is important though is to keep some sort of diary (or simply yet-another-log file) with all these attacks/probes, and their source IPs/origins, to build some sort of a "scrapbook" of attackers.

    This is useful, takes little time, and your logs can assist the RCMP/FBI in assigning 500 hours of community work to that packet-honkey who DoS'ed one of your servers, making you get paged at 4:00am.

    :-)

  5. By Pierre Lamy () pierre@userid.org on http://www.userid.org

    Turn off ICMP (ping) responses. Lock down all ports and services. Install tripwire, portsentry, logcheck, snort. Use tcpwrappers.

    Go to sleep. Sleep like baby.

  6. By Jude () jude@photon.unm.edu on mailto:jude@photon.unm.edu

    We whipped up a little perl script that would tail a log file with a regular expression that matched the traffic that we were trying to block (password guessing attempts on a web server). When is saw that regular expression more than X times in Y minutes the perl script would add a new rule to the ipf.rules and restart the filter. We then log the IP to syslog and carry on business. At night we reset the rules. Poking at a box that is not returning any packets is not fun at all

  7. By Martin Roesch () roesch@hiverworld.com on http://www.snort.org

    Here's an obvious idea that you can implement with Snort that turns it into a sort of "poor man's honeypot". I call the concept "trap rules", and they are simply rules that look for traffic going to known closed ports or IPs that aren't in use. For instance, if you've got finger turned off on your entire network, you can set up a Snort rule looking for traffic headed to that port on your network and alert whenever it sees it.

    For example:

    alert tcp any any -> $HOME_NET 79 (flags: S; msg: "Finger TRAP!";)

    It's a pretty simple concept, but it can be powerful if done correctly. Basically, you use the home field advantage (as Marcus Ranum calls it) to catch suspicious activity.

    For more thoughts about honeypots in general, RFP's got an archive of a message I posted to the IDS mailing list last year. You can check it here:

    http://www.wiretrip.net/rfp/p/doc.asp?id=2&iface=2

  8. By Chris () cmiller82@netscape.net on mailto:cmiller82@netscape.net

    As one of the replies suggested I blocked all ICMP traffic and the number of scans and probes has dropped off to 1 or 2 a day from over 20 a day.

    Thanks Pierre Lamy!

Latest Articles

Credits

Copyright © - Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to as well as images and HTML templates were copied from the fabulous original deadly.org with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]