Monkey.org Developments
Honeyd Mailing List: Re: honeyd - single ip address

Honeyd Resources

Main - News - Forums 
Download Releases
General Information [Mirror]
Frequently Asked Questions
Sample Configurations
Tools - Service Scripts
Blog - New
Links, Press, etc.
Mailing List Archive
Acknowledgments


Honeyd Research

Immunization Against Worms
Understanding Spam
Performance

Honeypot Resources

Honeypot Background
Honeypot Concepts

Honeypot Books


Virtual Honeypots,
Niels Provos and Thorsten Holz

Happy Hacking

Reduce wishlists
Leave a tip with PayPal

Support Honeyd

Search:
Keywords:

Search Amazon

  		 

Re: honeyd - single ip address

From: Hugo Teso Torío <HugoT_at_mkzingenieria.com>
Date: Tue, 16 Dec 2003 17:33:01 +0100



Hi,


arpd <IP>


honeyd -p nmap.prints -f honeyd.conf <IP>



With the above command, the arpd process will monitor the IP if it's UNUSED;


after that, the honeyd command will set the templetes that are on your


honeyd.conf "binded" to that IP, also It will load the nmap.prints that is


the actual database that the scanning tool Nmap uses to fingerprint


operating systems. You can add "-x xprobe2.prints" to load the database for


xprobe. Your honeyd.conf appears to be correct.



Take into acount that what honeyd makes is to redirect all the "calls" for


the range of IPs you used in the arpd to your box and then interact


depending on the template you asigned to that IP (in honeyd.conf with the


"bind <IP>"). You really don't add a new IP direction to your box. Arpd is


used for ARP spoofing; this is what actually monitors the unused IP space


and directs attacks to the Honeyd honeypot.



Take a look to "http://www.securityfocus.com/infocus/1659" for more info; if


that doesn't solve your problem specify a little bit more your question.



Remeber, honeyd doesn't work over used IPs; at the FAQ


(http://www.citi.umich.edu/u/provos/honeyd/faq.html) tells you how to use


honeyd without a network.



Best regards



----- Original Message -----


From: "Mario Ohnewald" <mario.ohnewald_at_linux.net>


To: <honeypots_at_securityfocus.com>


Sent: Tuesday, December 16, 2003 4:18 PM


Subject: honeyd - single ip address



> Hello!


> I want to run honeyd on a host which is only allowed to have ONE ip


address.


> SO what i am trying to do now is to set up honeyd to listen to that one ip


address and some ports like telnet or IIS.


> Is this even possible?


>


> Here is what i did:


> # arpd <IP>


> # honeyd -f honeyd.conf <IP>


>


> My honeyd.conf file:


> -------------------------


> ### Windows computers (default)


> create default


> set default personality "Windows NT 4.0 Server SP5-SP6"


> set default default tcp action reset


> add default tcp port 1110 "sh pop3.sh"


> add default tcp port 125 block


> add default tcp port 121 "sh ftp.sh"


> #add default udp port 139 drop


> set default uptime 3284460


> ### Cisco router


> create router


> set router personality "Cisco 4500-M running IOS 11.3(6) IP Plus"


> add router tcp port 23 "/usr/bin/perl router-telnet.pl"


> set router default tcp action reset


> set router uid 32767 gid 32767


> set router uptime 1327650


> # Bind specific templates to specific IP address


> # If not bound, default to Windows template


> bind <IP> router


>


>


> Cheers, Mario


>


> _____________________________________________________________


> Linux.Net -->Open Source to everyone


> Powered by Linare Corporation


> http://www.linare.com/


>


Received on Tue Dec 16 2003 - 11:57:47 PST





















Search For Information











Google








 Search WWW  Search www.honeyd.org 



















NB: This is a filtered version of the Honeypots mailing list. Only posts that concern Honeyd are shown here. For more recent discussions visit the forums.

 











Last modified: June 13 2004 02:53:28 AM


Copyright (c) 1999-2004 by Niels Provos

Don't access my pirated music.