Honeypots mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Help in deciphering config rules..

From: Graeme Connell <gconnell () middlebury edu>
Date: 21 Apr 2004 19:55:13 -0000
In-Reply-To: <Pine.LNX.4.56.0404201319590.8723 () pali cps cmich edu>


Just got interested in honeyd. I found sample config files
on www.honeyd.org. I understand the route stuff but have a
little problem with info like:
...
add default udp port 53 "./scripts/dnstool.py"
add default tcp port 25 "scripts/smtp.pl -n <youremailaddresshere>"
add default tcp port 80 "./scripts/iis5.net/main.pl"
...

On first line with add: "./scripts/dnstool.py" -- I assume it is a
python script. Where does it come from? Do I have to write onea? If so,
what goes in there (a sample will help)?


The lines you quoted are ports where honeyd sends incoming data to scripts.  Scripts are (I believe) any executable 
program, although most are just perl, shell, or python scripts.  Incoming data is communicated through STDIN, and 
outgoing data with STDOUT.  For example, in a simple shell script, the script

  #!/bin/bash
  while read line
  do
     echo $line
  done

will produce output as follows:
(telnet session established by user "username" from directory "dir")

<b>username dir # telnet IPADDR HONEYPORT</b>
Trying 140.233.205.31...
Connected to resnet-d-31.middlebury.edu (140.233.205.31).
Escape character is '^]'.
this is typed in input
this is typed in input
notice how whatever is input is returned
notice how whatever is input is returned
that's because every line read is sent back to STDOUT
that's because every line read is sent back to STDOUT
^]

telnet> close
Connection closed.
<b>username dir #</b>

This is the type of input you'd see if IPADDR was part of honeyd and it's port HONEYPORT was directed to the simple 
script above.
To create more complex scripts, for instance scripts that log sessions to files, you can use the variables $ipsrc, 
$ipdst, $sport, and $dport in the honeyd config file as arguments for your scripts.  The syntax to pass the source IP 
to our simple script on port 23 would be

add default udp port 23 "./simplescript.sh $ipsrc"

A simple redoing of our script can log output to a file based on the ip source:

  #!/bin/bash
  while read line
  do
     echo $line >> /LOGDIR/$1
  done

This will create and append to a seperate filename (the ip address) and record all data passed to port 23 through a 
session.

Hope this helps,

    Graeme Connell
Previous By Date Next
Previous By Thread Next

Current thread: