Some configurations that outline features available in Honeyd. We show how to instrument different kind of honeypots.
This configuration sets up a fake Internet routing topology. Every host on the network is reachable. We provide a web server, a pop server and a ssh server. Both the pop and the ssh server can be used to capture passwords or inject spam email.
route 18.104.22.168 unreach 22.214.171.124/3
Whenever a packet traverses the router
126.96.36.199 to reach network
188.8.131.52/3, Honeyd generates an ICMP network unreachable error message. This feature can be used to create more realistic network topologies.
create default set default personality "Linux 2.2.14" set default default tcp action block add default udp port 53 "./scripts/dnstool.py"
The default template is used for every packet sent to a destination address that does not have its own template. We can use this to populate all addresses in a network with machines, but we can also use it to block all traffic that goes to a machine without its own template.
Lance Spitzner’s Honeyd Toolkit Configurations
These configuration shows how to build a sample network configuration step-by-step. It shows features like multiple entry points, GRE tunnels and integrates physical hosts into the virtual topology.
route entry 172.20.254.1 network 10.3.0.0/16 route 172.20.254.1 link 10.3.2.0/24 route 172.20.254.1 add net 10.3.1.0/24 tunnel 172.20.254.1 172.30.254.1
This example allows Honeyd to send packets destined for the
10.3.1/24 network to be sent to the remote router
172.30.254.1. You need to make sure that router is correctly configured to terminate the tunnel. Response packets are received GRE encapsulated by
172.20.254.1 and inserted into the virtual routing topology.
create sticky set sticky personality "Mac OS X 10.1 - 10.1.4" set sticky default tcp action tarpit open set sticky default udp action block bind 192.168.1.110 sticky
This example shows a virtual honeypot simulating an insecure and open Mac OS X machine. The template is designed to tarpit (slow down) spammers, worms and autorooters. All ports are open and the
tarpit option ensures that any communication is slowed down.
More feature explanation and configurations coming soon.