Re: [Snort-inline-users] Re: attack redirection

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

On Sun, 18 May 2003, Ray Stirbei wrote:

> 
> Forescout ( http://www.forescout.com/index.html) sells a product that works
> with commercial firewall and IPS vendors.  It detects all kinds of scans and
> returns dummy server information. Then any traffic to these dummy servers can
> be filtered. You can replace the dummy server addresses with your
> honeypot(s).
> 
> I agree this would be a great feature to snort and I have copied the
> snort-inline list.
> Best regards

> >        I'm looking for some program to redirect an attack on my web server
> > to a honeypot. Maybe triggered by number of hits in a given time or by
> > certain requests. Does such a thing exist? Where can I get it? Or would I
> > have to write some kind of script?

There is already something similar to this, called Bait-n-Switch.
While very beta, you may want to check it out.

    http://violating.us/projects/baitnswitch/

lance