Is there a universal TCP/IP responding server

[MonkeyK]

I am looking for a tool that responds to TCP/IP requests on a large number of common ports. Does something like this exist?

I hope to use it so that I can direct traffic identified as suspicious to that server and capture as much of the request info as possible.

 

[dave_the_nerd]

Responds how?

SNORT or something can log the requests easily enough.

 

[mv2devnull]

Linux firewall, aka netfilter, is a list of packet match rules. If a packet matches the criteria of a rule, then the rule performs an action (such as write details to a log file).

The easiest criteria is "match all", but one can narrow that down to "match all TCP packets".

Programs like SNORT can do more -- to look into the payload (content of the packet) in addition to address, etc that the netfilter focuses on.

 

[MonkeyK]

I could be completely off, because I am pretty new to this stuff, so here is what is happening...
I have a network rule that sends any DNS requests associated with Malware to a specific IP address (this is called a sinkhole). But since the IP address is not actually configured to accept the traffic, the send is never completed and it doesn't get a chance to log the URL.
I do get the IP address making the request, but I would like the sinkhole to accept the traffic so that I can capture the rest of it.
Can a tool like SNORT capture request details if nothing is configured to receive the traffic?

 

[MonkeyK]

I found a couple of tools that do what I want. They are made to be honeypots:

HoneyD - free, but requires somewhat complex configuration. Services need to be set up with personalities describing how they will respond.
http://www.honeyd.org/index.php

KFSensor - kind of expensive at $600 but ready to respond to many common services out of the box
http://www.keyfocus.net/kfsensor/overview.php

 

[Saulbadguy]

HoneyD is pretty easy to deploy using project nova.