Re: honeyd and routing

Thanks for your reply!

It won't respond to pings without proper
routing. While I was tweaking the routing
table I had some strange incidents. Since
my Box has 2 ethernet devices (eth0 10.0.0.1
and eth1 192.168.0.99) sometimes the honeyd
replied to 192.168.0.99 when pinging it. It
looked to my if the devices which honeyd listened
on where swapped.

Here comes my configuration:

The arpds:
/usr/sbin/arpd -i eth0 10.0.0.0/8
/usr/sbin/arpd -i eth1 10.0.0.0/8

The honeyds:
/usr/bin/honeyd -l /var/log/honeyd.log -p /usr/share/honeyd/nmap.prints
-f /usr/share/honeyd/config.my -i eth0 10.0.0.0/8
/usr/bin/honeyd -l /var/log/honeyd.log -p /usr/share/honeyd/nmap.prints
-f /usr/share/honeyd/config.my.192 -i eth1 192.168.0.0/16

-----------------------------------------------------

The strange routing table:

The route entries with Gateway 192.168.0.99 are for the honeyd on eth0
listening for 10.0.0.0/8 and the Gateway 10.0.0.1 vice versa for eth1
on net 192.168.0.0/16. This is the strange confusing thing I meant.

Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use
Iface
213.148.128.46 0.0.0.0 255.255.255.255 UH 0 0 0
ppp0
10.0.0.0 10.0.0.1 255.255.255.0 UG 0 0 0
eth0
10.0.0.0 0.0.0.0 255.255.255.0 U 0 0 0
eth0
192.168.0.0 10.0.0.1 255.255.255.0 UG 0 0 0
eth0
10.0.0.0 192.168.0.99 255.255.0.0 UG 0 0 0
eth1
192.168.0.0 10.0.0.1 255.255.0.0 UG 0 0 0
eth0
192.168.0.0 0.0.0.0 255.255.0.0 U 0 0 0
eth1
10.0.0.0 192.168.0.99 255.0.0.0 UG 0 0 0
eth1
0.0.0.0 213.148.128.46 0.0.0.0 UG 0 0 0
ppp0

-----------------------------------------------------

Config for 10.0.0.0/8 network:

# Example of a simple host template and its binding

route entry 10.0.0.1 network 10.0.0.0/8
route 10.0.0.1 link 10.0.0.0/8
route 10.0.0.1 add net 10.0.1.0/24 10.0.0.100
route 10.0.0.100 link 10.0.1.0/24
route 10.0.0.100 add net 10.1.0.0/16 10.0.1.100
route 10.0.1.100 link 10.1.0.0/16

...

-----------------------------------------------------

Config for 192.168.0.0/16 network:

# Example of a simple host template and its binding

route entry 192.168.0.99 network 192.168.0.0/16
route 192.168.0.99 link 192.168.0.0/24
route 192.168.0.99 add net 192.168.1.0/24 192.168.0.100
route 192.168.0.99 add net 192.168.5.0/24 192.168.0.100
route 192.168.0.99 add net 192.168.19.0/24 192.168.0.100
route 192.168.0.99 add net 192.168.39.0/24 192.168.0.100
route 192.168.0.99 add net 192.168.64.0/24 192.168.0.100
route 192.168.0.99 add net 192.168.99.0/24 192.168.0.100
route 192.168.0.99 add net 192.168.118.0/24 192.168.0.100
route 192.168.0.99 add net 192.168.143.0/24 192.168.0.100
route 192.168.0.99 add net 192.168.177.0/24 192.168.0.100
route 192.168.0.99 add net 192.168.187.0/24 192.168.0.100

route 192.168.0.100 link 192.168.1.0/24
route 192.168.0.100 link 192.168.5.0/24
route 192.168.0.100 add net 192.168.19.0/24 192.168.5.100
route 192.168.0.100 add net 192.168.39.0/24 192.168.5.100
route 192.168.0.100 add net 192.168.64.0/24 192.168.5.100
route 192.168.0.100 add net 192.168.99.0/24 192.168.5.100
route 192.168.0.100 add net 192.168.118.0/24 192.168.5.100
route 192.168.0.100 add net 192.168.143.0/24 192.168.5.100
route 192.168.0.100 add net 192.168.177.0/24 192.168.5.100
route 192.168.0.100 add net 192.168.187.0/24 192.168.5.100

route 192.168.5.100 link 192.168.19.0/24
route 192.168.5.100 add net 192.168.39.0/24 192.168.19.100
route 192.168.5.100 add net 192.168.64.0/24 192.168.19.100
route 192.168.5.100 add net 192.168.99.0/24 192.168.19.100
route 192.168.5.100 add net 192.168.118.0/24 192.168.19.100
route 192.168.5.100 add net 192.168.143.0/24 192.168.19.100
route 192.168.5.100 add net 192.168.177.0/24 192.168.19.100
route 192.168.5.100 add net 192.168.187.0/24 192.168.19.100

route 192.168.19.100 link 192.168.39.0/24
route 192.168.19.100 add net 192.168.64.0/24 192.168.39.100
route 192.168.19.100 add net 192.168.99.0/24 192.168.39.100
route 192.168.19.100 add net 192.168.118.0/24 192.168.39.100
route 192.168.19.100 add net 192.168.143.0/24 192.168.39.100
route 192.168.19.100 add net 192.168.177.0/24 192.168.39.100
route 192.168.19.100 add net 192.168.187.0/24 192.168.39.100

route 192.168.39.100 link 192.168.64.0/24
route 192.168.39.100 add net 192.168.99.0/24 192.168.64.100
route 192.168.39.100 add net 192.168.118.0/24 192.168.64.100
route 192.168.39.100 add net 192.168.143.0/24 192.168.64.100
route 192.168.39.100 add net 192.168.177.0/24 192.168.64.100
route 192.168.39.100 add net 192.168.187.0/24 192.168.64.100

route 192.168.64.100 link 192.168.99.0/24
route 192.168.64.100 add net 192.168.118.0/24 192.168.99.100
route 192.168.64.100 add net 192.168.143.0/24 192.168.99.100
route 192.168.64.100 add net 192.168.177.0/24 192.168.99.100
route 192.168.64.100 add net 192.168.187.0/24 192.168.99.100

route 192.168.99.100 link 192.168.118.0/24
route 192.168.99.100 add net 192.168.143.0/24 192.168.118.100
route 192.168.99.100 add net 192.168.177.0/24 192.168.118.100
route 192.168.99.100 add net 192.168.187.0/24 192.168.118.100

route 192.168.118.100 link 192.168.143.0/24
route 192.168.118.100 add net 192.168.177.0/24 192.168.143.100
route 192.168.118.100 add net 192.168.187.0/24 192.168.143.100

route 192.168.143.100 link 192.168.177.0/24
route 192.168.143.100 add net 192.168.187.0/24 192.168.177.100

route 192.168.177.100 link 192.168.187.0/24

...

-----------------------------------------------------

Roshen Chandran schrieb:

>> Does someone have a recipe how to make the honeyd listen to network
>> traffic on it's specifiyed devices without strange and cryptic routing?
>>
>
> You could use the -i option for Honeyd to listen on a specified
> interface
>
> ./honeyd -f honeyd.conf -i eth1
>
>
>> Another problem ist that when I redirect traffic from the inter net to
>>
> a
>
>> honeyd-host it won't respond to requests (for example telnet).
>>
>
> Does it respond to ping? Could you give more details? The relevant
> section your honeyd.conf would be useful.
>
> Thanks!
> -Roshen
>
> Roshen Chandran
> Paladion Networks
> http://www.paladion.net
>
Received on Mon Dec 22 2003 - 09:19:42 PST