Monkey.org Developments
Honeyd Sample Configurations

Honeyd Resources

Main - News - Forums - New
Download Releases
General Information [Mirror]
Frequently Asked Questions
Sample Configurations
Tools - Service Scripts
Live Statistics - New
Links, Press, etc.
Mailing List Archive
Acknowledgments


Honeyd Research

Immunization Against Worms
Understanding Spam
Performance

Honeypot Resources

Honeypot Background
Honeypot Concepts

Honeypot Books


Virtual Honeypots,
Niels Provos and Thorsten Holz

Happy Hacking

Reduce wishlists
Leave a tip with PayPal

Support Honeyd

Search:
Keywords:

Search Amazon

  		 

Sample Configurations

Some configurations that outline features available in Honeyd. We show how to instrument different kind of honeypots.

Wireless Honeypot

This configuration sets up a fake Internet routing topology. Every host on the network is reachable. We provide a web server, a pop server and a ssh server. Both the pop and the ssh server can be used to capture passwords or inject spam email.

Features:

Unreachable networks

route 16.23.166.1 unreach 32.0.0.0/3

Whenever a packet traverses the router 16.23.166.1 to reach network 32.0.0.0/3, Honeyd generates an ICMP network unreachable error message. This feature can be used to create more realistic network topologies.

Default template

create default set default personality "Linux 2.2.14" set default default tcp action block add default udp port 53 "./scripts/dnstool.py"

The default template is used for every packet sent to a destination address that does not have its own template. We can use this to populate all addresses in a network with machines, but we can also use it to block all traffic that goes to a machine without its own template.

Lance Spitzner's Honeyd Toolkit Configurations

These configuration shows how to build a sample network configuration step-by-step. It shows features like multiple entry points, GRE tunnels and integrates physical hosts into the virtual topology.

Features:

GRE Tunnel

route entry 172.20.254.1 network 10.3.0.0/16 route 172.20.254.1 link 10.3.2.0/24 route 172.20.254.1 add net 10.3.1.0/24 tunnel 172.20.254.1 172.30.254.1

This example allows Honeyd to send packets destined for the 10.3.1/24 network to be sent to the remote router 172.30.254.1. You need to make sure that router is correctly configured to terminate the tunnel. Response packets are received GRE encapsulated by 172.20.254.1 and inserted into the virtual routing topology.

Tarpit

create sticky set sticky personality "Mac OS X 10.1 - 10.1.4" set sticky default tcp action tarpit open set sticky default udp action block bind 192.168.1.110 sticky

This example shows a virtual honeypot simulating an insecure and open Mac OS X machine. The template is designed to tarpit (slow down) spammers, worms and autorooters. All ports are open and the tarpit option ensures that any communication is slowed down.

More feature explanation and configurations coming soon.
 
Last modified: December 25 2003 09:57:40 AM
Copyright (c) 1999-2004 by Niels Provos
Don't access my pirated music.