Honeypots mailing list archives
RE: Running Honeyd
From: Mohan Chirumamilla <mohankc_2002 () yahoo com>
Date: Sat, 19 Mar 2005 09:31:13 -0800 (PST)
Steve, I had the same problem once and wrote a small program using libpcap and libnet. I am attaching the source files here..use them at your own risk. Basically with this program, you'll have to list the IP addresses that you want to use in a separate file and pass the file name as an argument to the program. From then on, all traffic destined to those IP addresses will be forwarded to the host on which this program is running. So, you would want to run this on your honeyd host...or, tweak the source code to redirect the traffic to other host. If this is what you are looking for...here they are.. since this was a program I developed to solve my problems, I did not have many bells and whistles ... "Roger A. Grimes" <roger () banneretcs com> wrote: It requires its own IP subnet, as well as IP address. Roger ************************************************************************ *** *Roger A. Grimes, Banneret Computer Security, Computer Security Consultant *CPA, CISSP, MCSE: Security (NT/2000/2003/MVP), CNE (3/4), CEH, CHFI *email: roger () banneretcs com *cell: 757-615-3355 *Author of Malicious Mobile Code: Virus Protection for Windows by O'Reilly *http://www.oreilly.com/catalog/malmobcode *Author of Honeypots for Windows (Apress) *http://www.apress.com/book/bookDisplay.html?bID=281 ************************************************************************ **** -----Original Message----- From: Steve Harvey [mailto:sxh12u () cs nott ac uk] Sent: Friday, March 18, 2005 8:15 AM To: honeypots () securityfocus com Subject: Fw: Running Honeyd After reading the faq i understand that honeyd requires its own ip address so i decided to set up a virtual ipaddress as follows: eth0 Link encap:Ethernet HWaddr 00:04:75:E9:B9:70 inet addr:128.243.23.175 Bcast:128.243.23.255 Mask:255.255.255.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:42552 errors:0 dropped:0 overruns:0 frame:0 TX packets:34748 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:100 RX bytes:10908297 (10.4 MiB) TX bytes:3402249 (3.2 MiB) Interrupt:5 Base address:0xe800 eth0:1 Link encap:Ethernet HWaddr 00:04:75:E9:B9:70 inet addr:128.243.23.174 Bcast:128.243.255.255 Mask:255.255.255.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 Interrupt:5 Base address:0xe800 lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 UP LOOPBACK RUNNING MTU:16436 Metric:1 RX packets:24870 errors:0 dropped:0 overruns:0 frame:0 TX packets:24870 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:1016776 (992.9 KiB) TX bytes:1016776 (992.9 KiB) i also understand that honeyd requires traffic to be forwarded to it as it does not intercept any network traffic so i used arpd to monitor the ipaddress of eth0:1 arpd 128.243.23.174 i can ping ip address but when i nmap the address i get the same response as i would if i nmaped eth0 i.e PORT STATE SERVICE 22/tcp open ssh Why can i not get arpd to push the traffic to my honeyd...I have noticed that everyone uses arpd for blocks of ip addresses...i cannot really do this as i want to deploy honeyd on my university network and the security group would not be best impressed if i stole all their unused ips! Thanks Steve Harvey __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
Attachment:
mysniffer.c
Description: mysniffer.c
CC=gcc CFLAGS=-g -Wall `/usr/local/Libnet-latest/libnet-config --defines` CLIBS=-lpcap -lnet proxyarp:mysniffer.c $(CC) $(CFLAGS) mysniffer.c -o proxyarp $(CLIBS) clean: rm *.o
1.2.3.4 2.3.4.5 3.4.5.6
Current thread:
- Fw: Running Honeyd Steve Harvey (Mar 18)
- <Possible follow-ups>
- RE: Running Honeyd Roger A. Grimes (Mar 18)
- RE: Running Honeyd Mohan Chirumamilla (Mar 19)