Bleeding Snort Hosts bait-and-switch Snort Enhancement
The Bleeding Snort project announced a new Snort preprocessor called bait-and-switch. It's currently available as a patch to Snort 2.4.0. Snort must be running in inline mode, and the current implementation is Linux-specific as it uses SNAT and DNAT features of IPTables.
bait-and-switch lets inline Snort users create rules that redirect traffic when bait-and-switch rules are triggered. The idea is to send suspicious source IPs to another host (perhaps a honeypot) when their actions trigger specially designed rules. I think this is a novel idea but I do not see it being used in most production networks. Will Metcalf says his implementation is a rewrite of an idea by Jack Whitsitt (aka jofny) of Violating.us. I expect to see resources like this used in honeynets, research locations, and tightly-controlled, high-value networks where policies are defined well enough to justify triggering redirection.
Update: Here's the original Sourceforge site.
bait-and-switch lets inline Snort users create rules that redirect traffic when bait-and-switch rules are triggered. The idea is to send suspicious source IPs to another host (perhaps a honeypot) when their actions trigger specially designed rules. I think this is a novel idea but I do not see it being used in most production networks. Will Metcalf says his implementation is a rewrite of an idea by Jack Whitsitt (aka jofny) of Violating.us. I expect to see resources like this used in honeynets, research locations, and tightly-controlled, high-value networks where policies are defined well enough to justify triggering redirection.
Update: Here's the original Sourceforge site.
Comments
-jofny