routesvirtual-machinesnortnetwork-securityhoneypot

routing traffic from production server to honeypot


I'm trying to direct malicious traffic intended for my production server to my honeypot. I have 3 VMs for now : A router running with Snort in inline mode, a Production server(debian) and my kippo honeypot. I'm very new to this and I'm looking for ways to filter out bad UDP traffic and then route it to my honeypot. Any help will be appreciated! Thanks in advance.


Solution

  • I'm not aware of a current project that does this, but "baitnswitch" is a much older project that sought to accomplish it. You could certainly do something like the following, however:

    None of this would be difficult. The only warning that I will give you is that when your iptables firewall gets several thousand rules in it, your kernel will start to explode randomly. It's a super good idea to periodically flush these rules out to prevent this from happening.