This configuration sets up a fake Internet routing topology.
Every host on the network is reachable. We provide a web
server, a pop server and a ssh server. Both the pop and the
ssh server can be used to capture passwords or inject spam
route 18.104.22.168 unreach 22.214.171.124/3
Whenever a packet traverses the router 126.96.36.199 to
reach network 188.8.131.52/3, Honeyd generates an ICMP
network unreachable error message. This feature can be used to create more
realistic network topologies.
set default personality "Linux 2.2.14"
set default default tcp action block
add default udp port 53 "./scripts/dnstool.py"
The default template is used for every packet sent to a destination
address that does not have its own template. We can use this to
populate all addresses in a network with machines, but we can also use
it to block all traffic that goes to a machine without its own
These configuration shows how to build a sample network configuration
step-by-step. It shows features like multiple entry points, GRE tunnels
and integrates physical hosts into the virtual topology.
route entry 172.20.254.1 network 10.3.0.0/16
route 172.20.254.1 link 10.3.2.0/24
route 172.20.254.1 add net 10.3.1.0/24 tunnel 172.20.254.1 172.30.254.1
This example allows Honeyd to send packets destined for the
10.3.1/24 network to be sent to the remote router
172.30.254.1. You need to make sure that router
is correctly configured to terminate the tunnel. Response packets
are received GRE encapsulated by 172.20.254.1 and inserted
into the virtual routing topology.
set sticky personality "Mac OS X 10.1 - 10.1.4"
set sticky default tcp action tarpit open
set sticky default udp action block
bind 192.168.1.110 sticky
This example shows a virtual honeypot simulating an insecure and open
Mac OS X machine. The template is designed to tarpit (slow down)
spammers, worms and autorooters. All ports are open and the
tarpit option ensures that any communication is slowed
More feature explanation and configurations coming soon.