Honeypots mailing list archives
Re: Virtual Honeynets under VMWare in Windows (troubleshooting)
From: Tom Fischer <mcalpine () openzilla de>
Date: Thu, 10 Feb 2005 22:09:16 +0100
It's a different approach, but maybe it can help you: http://www.smokinggun.de/index.php?p=78 Especially point 6 seems interesting for you. Barrett Weisshaar wrote:
Hello All, As part of a research project, I've recently decided to take a crack at setting up a virtual honeynet (Gen II) on my desktop system. Essentially, it's a Windows XP desktop with 1 gig of memory and about 50 gigs of free disk, 2.6 ghz proc, etc - Reasonable system for running a few virtual honeypots. Now, as my basis for documentation I am using the configuration found at the Pakistan Honeynet Project (http://www.honeynet.org.pk/honeywall/index.htm), since the Spanish documentation seems to focus on a hybrid solution instead. The site unfortunately is geared towards a Linux host for vmware, and this is (I think) the source of my current issues. In short, All my internal honeypots can ping each other, but they cannot ping any outside hosts on the network. The Honeywall itself doesn't seem to complain too much, happily logging data as I attempt to ping the default gateway and such from each host. My current VMware network interface setup is this: VMNet0: bridged to host VMNet1: host-only In theory, the Honeywall is supposed to have one bridged connection(vmnet0), one host-only connection(vmnet1), and all honeypots are set to host-only (vmnet1). For some reason unbeknownst to me, Windows keeps trying to assign VMnet1 an IP address (why it shows up in the Host OS's network connections, I don't know). Actually, it seems to be VMware doing it, which seems odd since I had assumed that would be left to the guest OS. I even tried disabling the TCP stack with no luck. Even more strangely, if I set the subnet of VMNet1 to the same as the outside network (I'm testing this on a closed network behind a router before I unleash it in the wild), it assigns itself the first IP address in that mask, which ends up being pingable from the honeypot machines! If this is supposed to just be a dummy layer 2 link between the Wall and the honeypots, why is this happening? Basically, I'm convinced I'm missing a step, and since the only docs I have to go on document setting things up for linux Vmware, I feel I must be missing a step. Has anyone gone through this that could steer me in the right direction? I'd hate to have to run a VMware machine naked and rely on forensics alone to determine the outcome (kinda defeats the purpose of this whole project) Regards, -Barrett
Current thread:
- Virtual Honeynets under VMWare in Windows (troubleshooting) Barrett Weisshaar (Feb 09)
- Re: Virtual Honeynets under VMWare in Windows (troubleshooting) Diego Gonzalez Gomez (Feb 09)
- Re: Virtual Honeynets under VMWare in Windows (troubleshooting) Tom Fischer (Feb 10)