Re: Honeyd 0.7a Linux Toolkit - beta1

Hi,

I've been using honeyd 5.0 for a while and was quite happy. I upgraded
recently to 0.7a and I've noticed two "typos" in honeyd.conf.bloat:
Line 104 & 111: The "add relay tcp port 111" line seems to be repeated twice
in the middle of the suse80 setup.

Honeyd is great and I have a lot of fun playing with, trying different
configurations. I have a question though.
I am between a D-Link router, which assigns a 192.168.0.x address to my three
boxes behind it; one of them is a dedicated honeypot. So let's say my router
is 192.168.0.1, my webserver is 192.168.0.2, my desktop 192.168.0.4 and my
honeypot 192.168.0.4. Arpd grabs everything from 192.168.0.5 to .255. Correct
me if I'm wrong but it doesn't make a lot of sense since there addresses
aren't available from outside my network.
So if I emulate 3 different mail servers, let's say on .10, .11 and .12 - I
have to actually redirect traffic to port 25 in my router configuration to
one of them; I can't use them all. Scanning that network doesn't give much
because nmap says it's a subnet... That's why honeyd currently runs a
webserver on some address, an open proxy on another, LDAP on another, etc. Am
I right?

Another thing. I'm currently routing the traffic at the router level (port 25
-> .10, port 3128 -> .11, etc.) and my honeyd box itself has any traffic
directed to it. Would it be better to redirect all the incoming traffic to
the honeyd box (192.168.0.4) and let arpd re-redirect it to the right spoofed
local address?

Almost last thing, which is a suggestion for the dev team. I'd like to see a
way to log by host, or by port. Right now, my logs are mostly filled with
port 135 connections and everything else is in the same file. I'd like to
have a way to say something like
log winbox 192.168.0.100 /var/log/0.100.log
in the honeyd .conf - or even something like:
add box tcp port 110 "/bin/sh scripts/pop3.sh" log "/var/log/port110.log"

Last thing, finally. I'm curious as to how exactly the "tarpit" function
works. I guess it's by setting the window to 0. If it's the case, I prefer
tarpitting to the iptables level. :) (though it's quite interesting when used
with "dynamic" ).

Enough for now, keep up the good work Lance et al.

--
Manuel Lanctot
On December 15, 2003 10:55 pm, Lance Spitzner wrote:
> One my personal goals is to make it easier to use the
> advanced capabilities of Honeyd.  The new 0.7a Honeyd
> Toolkit is an attempt to do just that.  The Toolkit
> contains the following:
>
>  - Statically compiled Honeyd and Arpd binaries
>   (X86 Linux) and start-up scripts for easier
>    deployment.
>
>  - Collection of as many emulated services and scripts
>    I could find.  These scripts are organized based on
>    the OS they emulate, to make it easier to deploy
>    virtual honeypots.  If you know of any more, and would
>    like them added, please let me know.
>
>  - Honeyd.conf.bloat.  A configuration file that attempts
>    to create and demonstrate as many different templates
>    as possible.
>
> The Toolkit can definitely use some help, including new
> templates, added scripts, and any words of guidance or
> wisdom based on your experience.  You can give it a whirl
> at
>
>    http://www.tracking-hackers.com/solutions/honeyd/
>
> Any suggestions, contributions, or bugs greatly
> appreciated.
>
> Thanks!
>
> lance