Monkey.org Developments
Honeyd Mailing List

Honeyd Resources

Main - News - Forums 
Download Releases
General Information [Mirror]
Frequently Asked Questions
Sample Configurations
Tools - Service Scripts
Blog - New
Links, Press, etc.
Mailing List Archive
Acknowledgments


Honeyd Research

Immunization Against Worms
Understanding Spam
Performance

Honeypot Resources

Honeypot Background
Honeypot Concepts

Honeypot Books


Virtual Honeypots,
Niels Provos and Thorsten Holz

Happy Hacking

Reduce wishlists
Leave a tip with PayPal

Support Honeyd

Search:
Keywords:

Search Amazon

  		 

Re: Help in deciphering config rules.. DATE_IN_FUTURE_03_06,HTML_MESSAGE,USER_IN_DEF_WHITELIST autolearn=no version=2.63

From: Graeme Connell <gconnell_at_middlebury.edu>
Date: 21 Apr 2004 19:55:13 -0000

 ('binary' encoding is not supported, stored as-is)
In-Reply-To: <Pine.LNX.4.56.0404201319590.8723_at_pali.cps.cmich.edu>



>Just got interested in honeyd. I found sample config files


>on www.honeyd.org. I understand the route stuff but have a


>little problem with info like:


>...


>add default udp port 53 "./scripts/dnstool.py"


>add default tcp port 25 "scripts/smtp.pl -n <youremailaddresshere>"


>add default tcp port 80 "./scripts/iis5.net/main.pl"


>...


>


>On first line with add: "./scripts/dnstool.py" -- I assume it is a


>python script. Where does it come from? Do I have to write onea? If so,


>what goes in there (a sample will help)?



The lines you quoted are ports where honeyd sends incoming data to scripts.  Scripts are (I believe) any executable program, although most are just perl, shell, or python scripts.  Incoming data is communicated through STDIN, and outgoing data with STDOUT.  For example, in a simple shell script, the script



  #!/bin/bash


  while read line


  do


     echo $line


  done



will produce output as follows:


(telnet session established by user "username" from directory "dir")



<b>username dir # telnet IPADDR HONEYPORT</b>


Trying 140.233.205.31...


Connected to resnet-d-31.middlebury.edu (140.233.205.31).


Escape character is '^]'.


this is typed in input


this is typed in input


notice how whatever is input is returned


notice how whatever is input is returned


that's because every line read is sent back to STDOUT


that's because every line read is sent back to STDOUT


^]



telnet> close


Connection closed.


<b>username dir #</b>



This is the type of input you'd see if IPADDR was part of honeyd and it's port HONEYPORT was directed to the simple script above.


To create more complex scripts, for instance scripts that log sessions to files, you can use the variables $ipsrc, $ipdst, $sport, and $dport in the honeyd config file as arguments for your scripts.  The syntax to pass the source IP to our simple script on port 23 would be



add default udp port 23 "./simplescript.sh $ipsrc"



A simple redoing of our script can log output to a file based on the ip source:



  #!/bin/bash


  while read line


  do


     echo $line >> /LOGDIR/$1


  done



This will create and append to a seperate filename (the ip address) and record all data passed to port 23 through a session.



Hope this helps,



    Graeme Connell


Received on Thu Apr 22 2004 - 11:58:25 PDT





















Search For Information











Google








 Search WWW  Search www.honeyd.org 



















NB: This is a filtered version of the Honeypots mailing list. Only posts that concern Honeyd are shown here. For more recent discussions visit the forums.

 











Last modified: June 13 2004 02:53:28 AM


Copyright (c) 1999-2004 by Niels Provos

Don't access my pirated music.