Re: A simple questions on redirecting USER_IN_DEF_WHITELIST autolearn=no version=2.63

From: <gconnell_at_middlebury.edu>
Date: 29 Mar 2004 06:32:22 -0000

('binary' encoding is not supported, stored as-is) In-Reply-To: <20040204090709.30824.qmail_at_web21409.mail.yahoo.com>

I may be misunderstanding your question, but it seems to me that all you need is arpd. arpd is a simple little program that looks at arp requests sent out by computers to IP addresses. If an IP is owned by a computer, it will respond to the request with an "arp response" packet saying where the computer is. If no computer responds within a certain time limit (3 secs?), arpd sends its own response, redirecting traffic to your computer (ie: honeypot).

On the honeyd web page,
http://www.citi.umich.edu/u/provos/honeyd/
go down under the Source Code heading, and you'll see a link for the source for arpd 0.2. Compile and install that, then check out the arpd man page, and you should be set.

    --Cleverduck

>HI All,
>
> I am a beginner in using honeypot(honeyd) and I need
>to work it as my final year project. But I have
>encountered a big problems.
> Basically, I can deploy Honeyd but the question is
>how to redirect "malicious" trafic or IP to my
>honeypot?
> One method is to config Iptables but I don't who is
>going to attack me.So, I don't know the IP. Does it
>mean I need to combine snort and honeyd work together?
>or something like "intelligence" firewall? Any ideas?
> Please help!:)
>
>Fred
>
>PS My configuration
>Internet----Firewall----local network---honeypot
>Honeypot: Honeyd
>Platform: Linux(kernel >2.4)
Received on Mon Mar 29 2004 - 02:09:11 PST