Honeyd Sample Configurations

Some configurations that outline features available in Honeyd. We show how to instrument different kind of honeypots.

Wireless Honeypot

• configuration file

This configuration sets up a fake Internet routing topology. Every host on the network is reachable. We provide a web server, a pop server and a ssh server. Both the pop and the ssh server can be used to capture passwords or inject spam email.

Features:

Unreachable networks

route 16.23.166.1 unreach 32.0.0.0/3

Whenever a packet traverses the router 16.23.166.1 to reach network 32.0.0.0/3, Honeyd generates an ICMP network unreachable error message. This feature can be used to create more realistic network topologies.

Default template

create default
set default personality "Linux 2.2.14"
set default default tcp action block
add default udp port 53 "./scripts/dnstool.py"

The default template is used for every packet sent to a destination address that does not have its own template. We can use this to populate all addresses in a network with machines, but we can also use it to block all traffic that goes to a machine without its own template.

Lance Spitzner’s Honeyd Toolkit Configurations

• networks config file
• bloated config file

These configuration shows how to build a sample network configuration step-by-step. It shows features like multiple entry points, GRE tunnels and integrates physical hosts into the virtual topology.

Features:

GRE Tunnel

route entry 172.20.254.1 network 10.3.0.0/16
route 172.20.254.1 link 10.3.2.0/24
route 172.20.254.1 add net 10.3.1.0/24 tunnel 172.20.254.1 172.30.254.1

This example allows Honeyd to send packets destined for the 10.3.1/24 network to be sent to the remote router 172.30.254.1. You need to make sure that router is correctly configured to terminate the tunnel. Response packets are received GRE encapsulated by 172.20.254.1 and inserted into the virtual routing topology.

Tarpit

create sticky
set sticky personality "Mac OS X 10.1 - 10.1.4"
set sticky default tcp action tarpit open set
sticky default udp action block bind 192.168.1.110 sticky

This example shows a virtual honeypot simulating an insecure and open Mac OS X machine. The template is designed to tarpit (slow down) spammers, worms and autorooters. All ports are open and the tarpit option ensures that any communication is slowed down.

More feature explanation and configurations coming soon.